March 6, 2024 • 45 mins
Prepare to navigate the turbulent skies of cybersecurity with Sige Brody, CTO of Optinine, as we unpack the pressing dangers and defenses within the aviation sector. Discover how Optinine's managed cloud computing services are revolutionizing the way airlines protect their most valuable assets, with a focus on robust disaster recovery and business continuity. Our journey will reveal the startling reality that, while commercial airlines protect company data like Fort Knox, their fleets might be flying with a target on their backs due to unencrypted communications and GPS spoofing threats.
As the conversation ascends, we examine the tightening mesh of regulations set to envelop European aviation by 2025 and contrast them with the FDA's slower pace. This segment dissects the curious paradox of current cybersecurity measures, where the commercial airline industry's crown jewels remain exposed to potential cyber-attacks. With Sige's guidance, we'll explore inventive solutions to these vulnerabilities, such as how backup software can serve as an early warning system against ransomware by detecting unusual patterns.
Finally, we chart a course through the future of aviation cybersecurity, scrutinizing the overhyped nature of zero trust and the expanding roles of IT managers in smaller organizations. We'll touch down on the need for simplified security architectures and the thrilling new frontier of space-based infrastructure, pondering the security implications of satellites and other celestial tech advancements. Sige Brody ensures this episode is a first-class ticket to understanding the complex, ever-evolving realm of aviation cybersecurity.
This is Encrypted Ambition—a podcast about the builders rewriting the rules. Join Petronella Technology Group as we decode the ideas, challenges, and momentum behind tomorrow’s business, technology, and leadership breakthroughs.
That’s a wrap on this episode of Encrypted Ambition. Subscribe wherever you listen, and if today’s guest inspired you—leave us a review or share the show with someone in your circle.
To learn more about how we support innovators with AI, cybersecurity, and compliance, head to PetronellaTech.com.
Thanks for listening—and remember, the future favors the bold.
NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.
Support the Show
Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:
- YouTube PetronellaTech
- YouTube Craig Petronella
- Podcasts
- Compliance Armor
- Blockchain Security
- Call 877-468-2721 or visit https://petronellatech.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:02):
Hey everybody, welcome to another episode here
of the cybersecurity podcastwith Craig Petronella and, of
course, myself, blake.
Today we have a very specialguest.
We have Sige Brody.
Please introduce yourself, sir.
Speaker 2 (00:16):
Hey guys, nice to meet you, nice to be here.
Yeah, my name is Sige Brody.
I was the chief technologyofficer and co-founder of a
managed cloud computing companycalled Webair almost 20 years
ago.
We sold that to a privateequity firm about two and a half
years ago and that ended upmerging with a bunch of other
(00:38):
organizations and that is nowcalled Optinine.
I am still the CTO over therein a part-time capacity and I'm
also out doing consultingservices around product
management and cybersecurity forother interesting technology
companies.
Speaker 1 (00:55):
Nice.
Tell us about, maybe, some ofyour core values at Optinine and
then some of the other spacesand verticals that you work in.
Speaker 2 (01:03):
Sure, yeah.
So the primary valueproposition of Optinine is
really a managed cloud provider,and the services that Optinine
provides surround management ofpublic and private cloud
infrastructure and then also alarge focus on business
continuity, disaster recoveryand overall resilience.
(01:25):
So with that we have servicessuch as managed backups and
managed disaster recovery.
The important thing to note isthat we are focused on working
with organizations who haveacknowledged that they don't
have an appetite to takeownership and accountability of
ensuring that their cloudinfrastructure is properly
(01:45):
managed and monitored andsecured and scaled, that their
disaster recovery infrastructureis set up properly.
The outsource ownership ofthose layers to us and we are
the ones responsible to ask theright questions, ensure the run
books are in place, ensure theright buttons are pressed, and
so on and so forth.
So as we look into the futureand we see IT getting more
(02:08):
complex, I think sort ofoutsourcing, sort of
non-interesting or sort oftransactional layers managing
infrastructure being one of themis low hanging fruit and we see
a lot of organizations makingthat decision.
The other organizations I'minvolved with I've done some
investing in technologies that Ithink are cool and providing
(02:29):
some consulting around there.
So one company that I've beenworking with is called Sidiation
.
They are focused on providingcybersecurity protection for
physical aircraft and they helpthem sort of get the word out.
The aviation is, prettysurprisingly, is pretty far
behind others that we're allfamiliar with as far as
requirements around vendordiligence and proper security.
(02:50):
So helping them educate and letpeople know what they need to
do to protect their fleets.
Speaker 1 (02:56):
What type of physical security does an aircraft
require?
I know that's a silly questionand obviously Craig and I work
with computers and servers.
So to me, whenever you sayphysical security with aircraft,
I don't know what triggers.
So I'm curious.
Speaker 2 (03:12):
Yeah, it's a really interesting sort of topic,
especially for folks like us whohave come from a new
traditional cybersecuritybackground.
But so when you think about aphysical aircraft, there's a few
attack vectors.
The possibly most alarming oneand most obvious one is that the
radio frequency basedcommunication.
So you have planes and theground and satellite sending RF
(03:38):
type of signals and these RFbased messages are unencrypted
and unauthenticated.
I think the unauthenticatedpieces is probably the more
critical.
First, right, because if youcan transmit a message powerful
enough to be received by anaircraft, the aircraft has an
(03:59):
assumption of trust that it isaccurate information, and so you
can do a lot of nasty things.
In fact, a few months ago andso something like GPS jamming
has been around for a bit.
It's actually getting more sortof talk now because of the
conflicts that are going on andthe fact that it's actively
being used by military.
(04:19):
But more alarming is GPSspoofing, which, from our world,
we go back maybe 15 years andtalk about sort of just TCP or
really just IP spoofing.
Same thing right.
At some point it was this holygrail.
Is it possible?
Oh, it's really difficult.
What we got to work in somecases and then it became very
(04:39):
prevalent, right, and so we'regoing to see the same thing.
In fact, a few months ago,there was a period of about
three weeks where about over 20commercial and business aircraft
were the victims of GPSspoofing, and they in you know,
we're talking 787s, 777s,airbuses, gulfstreams and they
(04:59):
all thought they were about 80nautical miles off from where
they were supposed to be.
One of them almost ended up andI ran by mistake.
That would be bad, and superinteresting is that a few years
ago, somebody had this greatidea to enhance the onboard
inertial positioning systems totake GPS in as another factor to
(05:20):
better ensure that positioningis correct, and it was that
system's always designed to bestandalone, and now, when this
happened, the GPS data came inthe IRS.
That system got super confusedand it caused a cascading
failure.
All these other systems in thecockpit failed, and I'm talking
about the planes that I justmentioned and basically these
(05:41):
planes have to call air trafficcontrol and say where are we and
where should we go, which issurprising.
So radio frequency is one.
The other attack vectors reallysurround physical access to the
aircraft and trust, and so ifyou think about the number of
people that have access to theseplanes, all these
subcontractors and vendors.
(06:01):
Again, there is an assumptionof trust.
If you have access to a device.
Lots of these devices haveethernet ports, usb, some of
them are pretty old PCMCIA, allsorts of different inputs.
If you have access to those,then anything that you plug in
there is assumed to be valid.
You can override the place toconfig all that and when those
(06:23):
types of attacks, you can modifythe guidance systems, the
navigational data, the autopilot, the actual control surfaces,
even in the cabin people think,well, the cabin is separate.
You get into a cabin managementsystem.
You can set off the fire alarm,the fire suppression system,
the plumbing for the toilets.
(06:43):
I mean you can force a plane tonot take off or force it to
make an emergency landing.
So that really comes down tosupply chain and vendor
diligence and all that.
Speaker 3 (06:56):
So there's all sorts of alarms going off in my brain.
I'm thinking like pen testerfor airplanes.
Speaker 2 (07:04):
That's what this company does is a situation.
They're doing vulnerabilityassessments for a physical
aircraft.
Speaker 3 (07:11):
So would it be possible for a hacker to either
board a plane or go into anairport where there's maybe a
busy airport, like Atlanta forexample, where there's a lot of
aircraft kind of taxing in, anduse something like a, like a
flipper zero or some type ofdevice like that, to kind of
either infiltrate or jam signals?
Speaker 2 (07:33):
Oh yeah, absolutely.
I don't know the output powerof you know I'm familiar with
that device, but as far as theproxy me requirement, I don't
know.
I mean, obviously those thingsare all possible, right, it's
not a matter of is ittechnically possible, it's more
a matter of you know how illegalit is, right.
Same thing with, you know,shining the lasers up on the
(07:53):
planes, right, like obviouslyanybody could do that at any
time.
We're just, it's just luckythat it's not being done much.
Speaker 3 (08:01):
So my fear yeah yeah, sorry to interrupt you.
My fear is that there's sometype of spy balloon that has RF
jamming capability, that, oreven drones that are flown with
some type of jammer capabilityto you know.
You know that, all sorts ofalarm bells going off.
(08:21):
Oh, yeah, yeah.
Speaker 1 (08:24):
Who has weaker secu.
Oh, I'm sorry, go ahead.
Go ahead, blake.
I was just curious.
I'm a huge Airbus guy so I'vebeen, I'm on the Airbus train
and I've invested in Airbus,like you know.
Obviously I hold stock inAirbus and I have for I don't
know years now.
So I'm not a huge Boeing guy.
But who has weaker security,would you say Airbus or Boeing.
Speaker 2 (08:47):
Yeah, he's taken me right to the hard questions.
You know it's interesting.
I don't know that I can answerthat we Sidiation works with
both of them, and so whatSidiation really does is they're
doing like deep R&D aroundthese avionics components.
And you know some of theseplanes are fairly old, right,
(09:09):
and so when, when they were putinto production assuming you
know, physical access meansassumed trust, you know that was
.
There was nothing wrong withthat back then, I guess.
But some of thesevulnerabilities like if you, if
I showed them to you on theplatform, they would read like
this like the cabin managementsystem, you know, has a
(09:29):
hard-coded IP of 10.0.0.5.
It's open to defaultcredentials and if you plug into
the Ethernet port, you can youcan, you know, tftp over and
override the configurations andconfigs right, like the types of
vulnerabilities are not, youknow, crazy just because it
happens to be on a plane andunfortunate things if you're
(09:50):
flying on a 30 year old plane,like you're gonna run into those
types of things.
Now, upgrading and updatingthose components can be very
time-consuming, they can't justdo it right.
It could be only two or threeyears to replace a component
like that, and so a lot, of, alot of this sort of mitigation
for those types of things comesdown to security awareness,
(10:12):
training and contextualawareness.
You know, you need to be awareof these exact vulnerabilities
which we know this fleet or thisplane to be susceptible to.
Instead of you know, sort ofoverwhelming them with just all
the possibilities, make it verycontextual.
Speaker 1 (10:29):
Yeah, that makes a lot of sense and you know we we
deal with, obviously we deal alot of computers and devices and
personal devices, businessdevices.
But my follow-up with that isobviously these hackers that
have a motive right.
A lot of the motive that we seein our industry is financial.
So, from your perspective, whatis the motive to you know,
(10:54):
hacking a plane for one, andwhat benefit does that do to an
hack, to a hacker, right like?
There's obviously got to besome motive, right.
Speaker 2 (11:03):
So I did spend a little bit of time.
You know I actually have adiagram around it.
If I wanted to ransomware anaircraft, here's how I would do
it and obviously there isfinancial benefit there, right,
and you know the amount of moneylost when these planes are
sitting on the ground is prettyhigh, you know.
(11:24):
I mean, can you compare it to ahospital being ransomware?
I mean, it's probably close.
I mean, some of these planesyou know cost, you know, 80 to
100 million dollars and you knowwhat does that look like when
they're down for a week.
And the the operators, you knowthey have insurance if an
engine is fails and needs to bereplaced.
You know what is that.
(11:44):
What is the loss of businessamount to for a week?
Loss of business for anaircraft because of some sort of
cyber attack is not somethingthat any insurance company in
the industry is going to coverat all.
Right now it is definitely inthe gray area and I've talked to
some insurance counters thereand they agree.
But if I wanted to, you know,ransomware plane, you know,
(12:05):
think of it.
You know you have these.
You have these vendors who arecoming on and off the planes and
plugging in laptops to allthese systems.
Now, unfortunately, there isalmost no vendor diligence in
this industry.
If I'm, if I'm, if I'm theowner of a fleet and I am and
I'm entrusting a vendor or apartner to perform maintenance
(12:27):
or do updates or replace afailed component, there's no,
there's no.
Hey, fill out the cybersecurity diligence form.
Show me how you and you know,enhance my security, not expose
me to more.
And so those laptops, you know,are they running EDR?
Are they going home and sittingon someone's home network?
You know what is the cybersecurity posture back at the
corporate office?
Look like for these vendorsthat that's not happening.
(12:49):
And so it wouldn't be fairlydifficult to develop a true, to
take a traditional ransomwarestrain, right, that gets into a
traditional IT organizationthrough phishing, social means,
whatever.
And once it's in, what are theydoing?
Now?
They're looking for criticalassets, right, they're designed
to look for SQL databases,whatever.
A critical asset you know.
(13:10):
Swap that critical asset to aavionics vulnerability, you know
, now, now, the ransomwaresitting on these laptops,
dormant, and it's just waitingto see, to see the right
signature on a local land, andwhen it does, it can ransomware
that component.
And so the leap from where weare to sort of a more sort of I
don't know industry specific oruse case specific strain.
Speaker 3 (13:32):
It's not that, it's not that sort of crazy right
have any drills been done liketo simulate attacks like that?
Speaker 2 (13:40):
now.
I mean, unfortunately, the likeI said, industry is pretty far
off.
I'm I just spoke at a, at a, ata large business aviation
conference a few weeks ago,talking about these things, and
so that's what we're just, atthe point where we're educating
as like, hey, these are therisks, this is what's possible,
what's not, and I think, similarto HIPAA and health care, it's
(14:03):
going to take some top down sortof pushing on.
You know, maybe you knowwarning, you know sort of
threatening fines.
So actually in Europe, actuallyprobably Blake, going back to
your maybe maybe going back toyour Airbus comment a little bit
but the Europeans do have acybersecurity for aircraft
regulation going live next year,in 2025, and it's great.
(14:25):
And if you look at it, it readslike what you guys would be
used to.
You know proper monitoring forunauthorized access, proper
securing of making sure they'rerunning the latest firmware,
anything that you would seeunder normal sort of cyber
requirements.
They're requiring that onphysical planes and so that will
help.
The FDA traditionally is alittle bit behind YASA on these,
(14:45):
but it's coming.
Tsa has some requirementsaround it now, but they don't.
They don't cover, you knoweverybody, and they actually
also now just recently, made anannouncement that if you want
FAA funding for airports, youneed to include in your proposal
how you plan on protecting theairport from a cybersecurity
perspective.
So it's starting, but it willtake time.
(15:07):
We just really need to be outthere.
You know advocating, sure I'msorry, blake, real quick.
Speaker 3 (15:15):
So what about DOD, or Department of Defense in
military?
Is there any?
Is it still education there oris there any testing being done?
Speaker 2 (15:24):
Oh yeah, they're like in a completely different frame
of mind.
They are very advanced and theydo a ton of stuff in this area
and they're not like.
Their RF communication is notlike what I'm talking about,
right, so they have their ownstuff and, from what I
understand, they're aware of allthese things and they protect
(15:45):
themselves.
Okay.
Speaker 3 (15:47):
So it's kind of like the traditional trickle down
effect.
You know big companies, bigmilitaries, and then it comes
down.
But you know the system right.
Speaker 2 (15:56):
Yeah, I mean I think it's really ironic and
interesting is, if you thinkabout commercial airlines right,
some of the largest in theworld, all the names that we
know about they spend millionsof dollars a year on
cybersecurity.
They have their own, theyusually have their own socks and
they're paying threatintelligence companies.
You know half a million orthree quarters of a million
(16:19):
dollars for threat intel ontheir organizations to know
what's going on.
Very mature sort of internal.
You know cyber teams, yetironically, their most critical
and price assets the aircraftsthey have no visibility into
those at all, into what's goingon whatsoever.
And so part of what you know asituation is trying to do and
(16:40):
what I'm helping them with is,you know this is, this is a
bridge.
You know the platform thatthey're developing, which is
really it's a real time, it's avulnerability assessment, but
it's also continuous.
You know that can speak, thatcan feed data into the SIM.
You know we can.
You know it already has.
You know Mitre attack framework.
You know notifications.
It can speak sticks taxi.
I mean we need to create abridge between the existing
(17:02):
cybersecurity apparatuses andthese new threats.
In fact, at Optinine we didsomething similar.
Optinine is in the business ofyou know, like I said, managing
backups and disaster recovery,and part of that is we actually
will deploy and manage backupand replication software at our
at our customers, you knowlocations or on their servers
(17:23):
and we manage them.
And we noticed that a lot ofcustomers were coming to us to
consume those services becauseobviously they were they were,
you know, mindful of securityand they wanted a capability to
recover post attack.
And then we realized that whenattackers who are looking to
ransomware an organization getinto organizations and IT
(17:43):
infrastructure these days,they're actually one of the
first things you're doing is avery common pattern in workflow.
One of the first things you'redoing is they're looking for
those backup and replicationtools.
They're seeking them out sothat they can destroy any, any
potential for recovery and,blake to your point, if that's
what your economic benefit is, Iwant to get paid a ransom.
I'm going to do everything inmy power to improve the
(18:05):
likelihood of getting paid.
So, because we knew they werelooking for these backup and
replication tools, one of thethings we did was we built an ad
, we built this add-on to ouroffering, where we would run the
backup software configurationitself through machine learning
on our side and we would lookfor anomalies and look for
suspicious activity.
(18:26):
If the end users maybe changetheir retention policy twice a
month, it may change us toencryption once a week, change
job definitions and all of asudden in one day we see a bunch
of jobs deleted and otherchanges.
That's suspicious and becausethose things are happening
before the ransomware takesplace, it would be a predictor
(18:47):
of a ransomware attack.
And so we built that andproductized it and we tied it
into our service that if andwhen we saw that we can
automatically air gap theoffsite backups or DR or we can,
we built an API, we feed itinto the client's SIM or the
RMSP partner's SIM, and again, Ithink you have.
So it's like very it's a verysort of similar use case to the
(19:11):
aircraft.
You have this new attack vectorthat maybe it's been around for
a long time like backup service.
It's been around for a while,airplane's been around for a
while, but all of a sudden it'san attack vector that was not
encompassed by this cyber team.
Now it's being exploited and weneed to sort of build that
bridge.
Speaker 1 (19:31):
Yeah, I'm surprised, honestly, the FAA doesn't have
regulations behind this, likesome type of compliance mandates
that say, hey, if we're goingto operate in our airspace, you
have to go, like we see it in,obviously, data centers,
endpoints, cmse, yeah, yeah,yeah, any type of cyber
infrastructure.
We see these mandates alreadyexisting.
(19:52):
But the airline industry I meanit's a huge portion of our
economy, right.
So travel, the airline industry, I mean I don't even know how
much, I mean it's billions andbillions of dollars, right of
the sector that just goesunnoticed, uncared for.
I'm so surprised there's notmandates around that.
(20:14):
And so for you, I'm curious,you said it's coming right.
You did say that.
So what would those mandateslook like for you?
If you had a golden grail ofmandates, what do you think they
would include?
Speaker 2 (20:31):
Well, so you know, if you look at what IASA, which is
the European FAA, essentiallyput out, you know it's exactly
what you're saying.
We are mandating operators.
And someone asked me this theother day.
They said is it aircraft thatare registered within Europe or
that land within Europe?
(20:52):
I said, you know that's areally good question and I don't
know that there's an answer forthat yet.
But that has huge impact, right, because you know now it's like
you have every operator in theworld and every commercial
operator needs to comply.
Then at that point and you'renot just going to comply when
you land, you need to complyyour fleets fully.
But the requirements that IASAis putting out, which is called
(21:13):
the PartIS and it goes live inOctober of 25.
And I'll read them to you.
You know, and again it readsvery similar to what you know,
what you know our traditionalindustries have been talking
about for a while maintainingthe security of an aircraft
system through their lifecycle,vulnerability management,
identifying the sessing andmitigating vulnerabilities in
aircraft systems, securityawareness, training, protecting
(21:33):
the integrity and availabilityof aircraft system.
And that's a fun one, right?
I used to have a lot of funwith that one with HIPAA,
because HIPAA also spoke aboutavailability of data, which and
when I was really focused onselling disaster recovery we
would use that.
We'd say, hey, hipaa is notonly about you know people
(21:54):
stealing your data, but ifsomeone can cause your system to
go down and make that patientdata unavailable, that's a HIPAA
violation.
If you're, if you're, if youhave downtime, your bio and you
know doctors can't get thepatient data, that's a violation
.
So that's an interesting one.
The other ones, back to IASA,are ensuring the confidentiality
of aircraft data monitoring,aircraft systems for sign up,
(22:15):
unauthorized access or activity,aircraft incident response,
implementing measures tomitigate risk.
So, again, like very sort oftraditional, you know table
sticks type of requirements.
But the issue is, you know theword aircraft shows up in almost
all of these, right, and sothat's the rub there's not many
tools and systems that are outthere designed for that.
Speaker 1 (22:37):
I also see a web of jurisdictional conflicts, right?
So let's just say for example,an American airplane is flying
within the borders of Europe andsomething happens within the
borders of Europe, who hasjurisdictional authority over
that plane to investigate sadbreach?
(22:58):
You know what I mean.
Like it just, yeah, it becomesthis web of entanglement.
Speaker 3 (23:03):
I'm also envisioning some type of, you know, fly by a
hostile country and some typeof almost EMP, but specific for
aircraft, you know, like a newcyber weapon aimed at aviation.
Speaker 2 (23:19):
Yeah, I mean like so all of this stuff can happen,
you know, obviously in the airand in the sky In fact.
In fact, one of the RF systemsthat is susceptible to this is
called AVSB and basically justpositioning data and interesting
thing is, all the planesactually it's now mandated that
(23:39):
the planes do this.
So if you there's actually somepretty cool sites out there,
like if you go to ADSB exchangeor flight or flight tracker,
which is a really cool app youcan install on your phone, you
might have those right now.
They're awesome, they haveaugmented reality.
You can just point your phoneat any plane you see flying past
in the sky.
It tells you the tail number,it tells you where it came from,
where it's going really coolstuff.
(24:00):
But if you look in the cornerbehind me, I have a little, I
have a little radio there.
I'm participating in this ADSBexchange.
You go to the website.
It shows you a global map ofwhere every single plane is in
the world right now and that'sall.
That's all hobbyists like methat are that are sort of
contributing to this network.
It's like SETI and it's cool.
(24:20):
My little radio back here.
I can.
I can receive signals within300 miles.
If I can look at just my map,it's actually awesome.
It's a little Raspberry Pi witha $50 USB radio.
It's not a lot of fun, butanyway, the planes all put out
these signals and so that's cool.
Here's where I am.
One of the interesting thingsis that there's this collision
(24:41):
avoidance system where theplanes receive the signals from
the other planes in the area andthe planes actually speak to
each other and they basicallywill say they form this
consensus it looks like we'regoing to, it looks like we're
going to collide, I'll go, I'llgo up, you go down, I'll go left
, you go right.
And these messages arebasically shown to the pilots
(25:06):
like hey, your, your collisionavoidance system is going off.
We recommend that.
You know we want to move tothis position and we want to do
this.
Press the button.
And so very easy to send a fakemessage and cause and cause
that, cause that and cause theplane to move or change position
.
Speaker 1 (25:23):
I'm really curious, so something that I know.
This is more kind of contentfocused, but you know, obviously
, when the Super Bowl washappening and you know,
obviously Taylor Swift wasflying across the ocean and
people were tracking her flights, and then now you see there's
(25:44):
this young guy can't think ofhis name, but I'm sure you know
the young guy who's trackingcelebrity jets and posting that
information Tracking Elon Muskat one point.
Yeah, same kid.
So something that nobody reallytalks about and I'm curious to
get your take on is transparencyof of this information right?
(26:06):
Because they're they're usingfederal airspace, right, they're
using federal tax dollars,obviously, and so there has to
be some type of window for thepublic.
Where, where do you define thatRight?
Speaker 2 (26:19):
Well, so that's what's actually happening, right
?
So if you go onto these sitesyou can see all the planes and
you can see their tail numbers,the, the FAA registered tail
number.
And if you go to the FAA'swebsite you can look up any tail
number.
It'll tell you what type ofaircraft it is, give you some
registration info and give youownership and typically what,
(26:40):
what is done to sort of to sortof obfuscate the ownership in
the.
You know, I don't, I think thecommercial operators, they don't
care, you know, it's like theyjust put it out there.
But definitely in the businessworld side, an LLC, a new LLC,
is created per aircraft andthat's sort of like the, the
paywall that you can't getbehind, and so you don't
(27:01):
necessarily know who the LLC.
I mean, you know, ironicallyenough sometimes, that now you
can go digging and you can lookat the LLC and you look at the
address and it's fairly, youknow, like I saw one that you
know typically they'll put likethe initials of the company.
You don't need to.
But that's the thing.
If you can, once you get thename of the LLC, if you can
figure out who owns that LLC orwhat it's related to, now you
(27:23):
know who's playing it is.
Now, what can they do?
I'm sure there's a way to.
Maybe, I don't know, maybe youcan request to change your tail
number, maybe you change the LLC.
But once someone has thatassociation, once you can get
from tail number to kind ofowner they are the operators.
Now mandate to put out thesesignals of here's, here's where
(27:44):
I am right now, here's my tailand here's my position, and then
it's trackable.
I think and that's a thing,that's an interesting thing Like
it's like you know people.
I think the person who wastracking Taylor Swift, you know
they sent him a cease and desist, right, and they sent him all
this.
Like we're going to sue youbecause you're putting her, like
, at risk, and all this.
But meanwhile, you're right,it's publicly available
(28:06):
information.
He's just bundling it up in away that's easier for folks to
see.
Speaker 1 (28:11):
And I'm assuming you believe in that ability to do
that right, I mean.
Speaker 2 (28:18):
I don't know, I haven't really thought about it
much.
I mean, on one hand it's youknow it is it's it's related to
federal government and this andthat and taxpayer dollars.
On the other hand, it does makeit easier right to conduct
these attacks.
Speaker 3 (28:32):
But I wonder if it needs to stay public.
Speaker 2 (28:36):
Well, yeah, well, the tail number is.
You know, the tail number isjust a number, right?
I think maybe the registrationinformation right, that's what I
mean.
Yeah, maybe not showing theowner or maybe, you know, maybe
that has to be behind like afreedom of information act
request or something that makesit more difficult.
Speaker 1 (28:58):
We're starting to see a lot of.
You know we talk about liketrust lists, like zero trust
frameworks, a lot, and you knowthere seems to be kind of a
divide of people that say no,zero trust isn't the way, and
people saying zero trust is thefuture.
I'm curious.
I could tell by your facialexpression you have a few things
(29:20):
to say.
Speaker 2 (29:23):
Zero trust has been, you know, overly it's turned
into this overhyped marketingterm.
Look 15, 20 years ago, you know, in our offices in the optinine
at that point it was Web Airoffices we had a whole bunch of
employees, we were techcompanies like it's not a fair
(29:43):
example, but we wanted to secureour staff and our people and
ensure that, you know, there wasno data leakage.
So every employee was put intheir own VLAN and when they VP
and in, they ended up in thatsame employee VLAN and so there
was segmentation.
They were not on a shared layertwo network and it was that was
(30:04):
.
You know, we were doing zerotrust without having a fancy
name for it, and that's whatbothers me.
I think that you know going.
You just sort of I worry thatthere are business owners that
are out there who read the news,see these stories about
ransomware and basically intheir head they're like well,
(30:26):
I'm okay because I buy backupsor I have a disaster recovery,
or I pay the security company totake care of everything for me,
and there's all these likethere's so many bad assumptions
related to cloud and securitythat people have a false sense
of security and they just sortof discount it and, as you guys
know, this is all multi-layered.
There's no, there's no.
(30:47):
If I have X, then I'm secure.
And I think we fall into thattrap with zero trust.
We subscribe to zero trust,therefore we're all set, we can
ignore everything else.
And that's what scares me isthe marketing aspect of it.
There's a company that isfocused on cybersecurity for the
space vertical, for digitalinfrastructure and space, and so
(31:08):
there's an AWS snowball, which,if you don't know, is a
glorified Raspberry Pi computedevice and it's an edge.
It's okay, it's an AWS edgecompute device, but under the
surface it's pretty much aRaspberry Pi.
Anyway, there's one of those onthe space station, and so, from
a marketing perspective, it'slike whoa, we have edge compute
(31:29):
in space.
You know we can conductcomputational things in space.
We have public cloud in space,raspberry Pi, and that's cool.
Like you got to start somewhere.
But then this other companycame along and says hey, we're
doing zero trust in space.
So, marketing perspective, Ithink it's great.
I would have done the sameexact thing, but we got to be
careful, you know.
So do I believe in your trustprinciples?
(31:51):
Yes, is it to be all into all?
Speaker 1 (31:53):
No, that's kind of funny to me.
Obviously, we want to talkabout the future.
Right, I know you don't have acrystal ball, but obviously you
kind of seems like you have apulse on where the future of
cybersecurity is heading.
Is there any type of excitingdevelopments that you feel like
(32:15):
that are happening now that maybe game changing or
groundbreaking in the future?
Speaker 2 (32:23):
Well, you know, I think I said at the beginning,
but one of the things that alsoscares me is the fact that if
you look at the role of ITmanagers, of CIOs, vp of
infrastructure, whatever youknow, the amount of sort of
responsibility put on theirplates year over year is
(32:43):
increasing and, in manyorganizations, smaller.
Obviously.
There's typically not aseparate sort of security
apparatus there than tasked withowning all the security stuff
as well, and I think one of thethings that a lot of those folks
in those positions don'trealize is part of their job is
to manage complexity group, isto have a focus on ensuring the
(33:04):
most simplest architecture thatthey can find which still
satisfies the business needs andprovide some level of
flexibility.
That should be one of theirgoals, but I don't think that
they're really thinking that way, and so we end up with this
vast sprawl that we're all awareof, right?
We end up with cloud sprawl.
We end up with, if you look at,something like SASE, right,
(33:27):
another great marketing term.
Thank you, gartner is cool, butit's not one product, it's like
50 products, and so people needto like really focus on
simplifying their environment,because the more complex it is,
obviously the harder it's goingto be to manage, monitor, secure
and scale it right, and itbecomes almost impossible, and
(33:48):
so we need to take a very activeapproach on managing complexity
.
If that's not done, it willalmost become impossible.
And again, I think that alsomeans the outlook is good for
managed vendors, mssps, managedsecurity vendors, managed cloud
vendors, all that and so I thinkwe're going to see, in the
(34:08):
future, outsourcing to best andbreed becoming much more common,
because, as things get morecomplex which they will it's
going to be almost impossiblefor internal teams to do it.
Speaker 3 (34:22):
I think, by the way, I think it's well-heating fruit.
Speaker 2 (34:24):
I think if you have remediation list of 50, you
don't like, hey, I'm just goingto give it to my vendor.
Yeah, I have spent some timelooking at what's happening with
digital infrastructure in space.
It's just an interest of mine.
I think it's just super, supercool to geek out on Space-based
data center, space-based edgecompute, space-based
(34:47):
connectivity.
There's a company, actually,that was a great launch
Yesterday.
It was a SpaceX ridesharelaunch, the first of this year.
The rideshare launches areawesome because they're
typically like 100.
I looked at my LinkedIn.
There was like 30 differentcompanies that were in space.
We made it because they're allin the same rideshare.
But it was a company that'sdoing cell phone towers in space
(35:10):
, direct to device.
I'm on my normal iPhone I don'twant Android and I have cell
phone access because I'mdirectly connected to a cell
phone tower in space.
How cool is that?
Now you think about where's thecontent?
Well, why not just put it inspace, in the space data center,
which gets free power and freecooling?
Is it going to happen tomorrow?
(35:31):
No, but I think it's super funto talk about.
That.
All needs to be secured Now.
There's a lot of optical links.
Now all the space-basedconnectivity is optical in
nature.
Amazon Kuiper is already doing100 gig satellite to satellite,
spacex is doing satellite tosatellite.
Now how do you secure that?
(35:52):
I don't know To me.
Now, going back to complexity,look at the increased complexity
there and now apply yourcybersecurity frameworks to that
.
Sorry, go ahead.
Speaker 1 (36:09):
No, I was just sorry.
I had a really quick follow-up.
It brings up a lot of thoughtsto my mind Now.
I haven't seen any mandates orframeworks around satellite
security.
Yeah.
Speaker 2 (36:24):
People are talking about.
I mean, within the satelliteindustry there's like a subgroup
.
But again, going back to radiofrequency communication, a lot
of it has been and I think that,going back to your question
about aviation and the lack ofrequirements, a lot of it's been
security by obscurity and thefact that these things were,
from an engineering perspective,very difficult to do.
(36:44):
But it's amazing to see howquickly it's gone from theory to
active exploitation in the wild.
I'll give you another examplethat touches on space and
security and even complexity isthere's a company that's spun
out of Google I don't know howto pronounce her name.
It's called Al Yara, but if youthink you guys are familiar
(37:06):
with SD-WAN, the capability ofoverlaying on top of multiple
internet connections and allthat.
So what this company does isthey created something called
like temporal space software tofind networking, like they made
up a really co-acronym.
Then their focus is on meshing,is on taking terrestrial fiber
connectivity, terrestrial5G-based connectivity, multiple
(37:32):
satellite operator connectionsand creating a mesh network.
That is creating an overlaidmesh experience where, if
satellites are blown out of thesky, if your network is cut,
whatever your connectivity canmove from one part to the other
with no disruption at all.
(37:52):
To me, it's super cool.
It's something that we didn'teven think we needed, but now,
as these new options forconnectivity become available,
we're going to start using themNow.
We need a way to manage thecomplexity Now.
How do we ensure security?
How do we ensure securityassurances?
As we go from platform toplatform, I think there's always
(38:15):
new problems to solve as weforce ourselves.
It's almost like self-effortingprophecy New technology we
never knew we needed it, but nowthat we see it, we want to use
it, and so we're going to use itNow.
We just made our lives morecomplex and now we have to
secure the more complex reality.
Speaker 1 (38:36):
Yeah, yeah.
Well, we went down the rabbithole of space.
We went down the rabbit hole ofaviation.
We talked briefly on Cloud.
Obviously a part of you joiningour podcast, obviously you're
tapping into our audience andour viewership and our listener
base.
Is there anything We'd like toobviously give you the platform
(38:59):
here.
Is there anything that you feellike we didn't talk about that
maybe you had on your mind?
Speaker 2 (39:08):
Well, I would say, just going back to the comment
about assumptions, don't assumeanything.
A lot of people like to checkthe box around backups, disaster
recovery and again, I think themost important thing that an
organization can answer himselfis do we have an appetite to
take ownership andaccountability of managing X, y
(39:28):
and Z, of being responsible thatwe've set up our AWS account
the right way and that wechecked all the boxes?
Do we want to be on the hook?
Do we want to be on the hook toensure that our disaster
recovery configuration isworking properly, or would we
rather just sign a contract forit and hold a vendor accountable
to an SLA?
And I think people don'trealize.
When you think about managedservices I think you guys have
(39:50):
similar services is you're notbuying bits and bytes or X
amount of storage.
You're buying performance, likewith Optinine.
You're entering into a contractthat we are going to ensure
that your disaster recoveryinfrastructure is up and running
with the specified RTO ofrecovery time and that your data
is no longer than X amount old.
(40:11):
And if we happen to be usingthe wrong hardware
infrastructure on our side toget that job done, well then
it's on us to spend any amountof time or any investments to
ensure that we upgrade so thatwe're meeting the performance
requirements of the contract.
And so the first question iswhat do we want our IT folks
(40:33):
managing infrastructure andsecurity and cloud and backups
in DR or do we want them focusedon adding value to the business
?
That is super important.
By the way, I've worked withmany very large organizations
who totally have the technicalcapabilities and the teams to do
all that, but they've made theconscious decision of we don't
want to be on the hook for it.
We'd rather have a contract andsue someone to get to that, to
(40:56):
be responsible for it.
And so I would say that toeverybody.
Think about that and also thinkabout the assumptions that you
might be making of we're goodbecause and then talk to a
vendor Optinine is great atmanaged disaster recovery,
backups, managing cloud,especially with what's going on
with Broadcom and VMware rightnow.
(41:16):
I don't know if you guys arefollowing that.
Yeah, yeah, it's a mess.
I know it's going to cause aton of consolidation.
I mean that was a really goodtime If you were teetering.
Well, maybe should we keeprunning our own VMware.
Should we keep running our ownhardware One of the cool things
that Optinine does is we runmanaged VMware private clouds
(41:37):
and so we can move your existingVMware-based infrastructure to
keep it on VMware.
Our pricing is much better thanwhat your renewals are coming
in at Integrate to your existingnetwork and adhere to your
existing security framework sothe best of both worlds.
So, yeah, those are interestingthings I think to put out there
for Optinine.
(41:57):
And then myself I'm involvedthere.
I'm also doing some consulting,so if there's anything I've
mentioned that is interesting,feel free to hit me up.
But, as you can tell, I love tochat about these things.
Speaker 1 (42:08):
Yeah, yeah.
Tell our listeners how they canreach you, how they can
communicate with you.
What's the best means to makecontact to you?
Speaker 2 (42:16):
My personal website is 10forwardai number
10forwardai or find me onLinkedIn.
Speaker 1 (42:23):
Yeah, we'll find it and we'll drop some links here
in the description.
Awesome, I think that's allthat I had, craig, any.
Speaker 3 (42:32):
No, I think that was great.
So one last question I had onthe Optinine Do you support most
of the modern regulations?
I know you mentioned HIPAAcompliance, assuming that maybe
you're achieving or headedtowards CMMC compliance.
Is there anything that you guysdon't do or that you like in a
(42:55):
certain regulation or vertical?
Speaker 2 (42:59):
Yeah, I mean, is there anything we don't do?
Well, no, we do all of them.
If it's FedRAMP, that's theonly one that's a real fun one
to talk about.
But when we do FedRAMP, we liketo partner with AWS, govcloud.
Besides that caveat, we do allthe rest, and what we do and our
strategy around compliance iswe've taken our SOC2 audit and
(43:22):
we've added all of theadditional frameworks and we
added a section that shows howwe demonstrate how we comply
with all those and we map themback to our SOC2.
And we also let the client knowhey, for this specific
regulation, this one's on you.
And so we are mapping to CMMCand to ITAR and CJIS and HIPAA
(43:45):
and GDPR and probably 50 more.
Speaker 1 (43:50):
I should make you both aware of this.
It's always so annoying for us,but I mean, we find some fun in
it.
Speaker 2 (43:59):
Yeah, I saw CMMC on your website and I thought
that's like a super interestingone where it went, where it's
heading and, to me, what's goingto happen in the aviation
industry from a sort ofsubcontractor perspective.
I think it's going to look verysimilar to what's going on with
CMMC right now.
Speaker 1 (44:15):
Yeah, cmmc is our bread and butter.
Craig and I are both CMMCcertified.
I'm an RP, craig's an RP andwe're an RPO, so that's kind of
our bread and butter for sure.
Awesome.
Speaker 2 (44:29):
Well, thanks for your time.
Thank you.
Speaker 1 (44:32):
Yeah, thank you so much for coming on.
We appreciate the opportunityto speak to you and I'm sure we
will definitely stay in touchand we'll definitely see you,
probably likely in the future.
We will follow up and make surethat we check in on you and our
listeners as well.
We'll ask you back for updatesand, yeah, looking forward to
(44:52):
doing that with you.
Speaker 2 (44:54):
Awesome guys.
Thank you for the time.
Appreciate it, Thank you somuch.
Thank you.
Hey everybody, welcome to another episode here
of the cybersecurity podcastwith Craig Petronella and, of
course, myself, blake.
Today we have a very specialguest.
We have Sige Brody.
Please introduce yourself, sir.
Speaker 2 (00:16):
Hey guys, nice to meet you, nice to be here.
Yeah, my name is Sige Brody.
I was the chief technologyofficer and co-founder of a
managed cloud computing companycalled Webair almost 20 years
ago.
We sold that to a privateequity firm about two and a half
years ago and that ended upmerging with a bunch of other
(00:38):
organizations and that is nowcalled Optinine.
I am still the CTO over therein a part-time capacity and I'm
also out doing consultingservices around product
management and cybersecurity forother interesting technology
companies.
Speaker 1 (00:55):
Nice.
Tell us about, maybe, some ofyour core values at Optinine and
then some of the other spacesand verticals that you work in.
Speaker 2 (01:03):
Sure, yeah.
So the primary valueproposition of Optinine is
really a managed cloud provider,and the services that Optinine
provides surround management ofpublic and private cloud
infrastructure and then also alarge focus on business
continuity, disaster recoveryand overall resilience.
(01:25):
So with that we have servicessuch as managed backups and
managed disaster recovery.
The important thing to note isthat we are focused on working
with organizations who haveacknowledged that they don't
have an appetite to takeownership and accountability of
ensuring that their cloudinfrastructure is properly
(01:45):
managed and monitored andsecured and scaled, that their
disaster recovery infrastructureis set up properly.
The outsource ownership ofthose layers to us and we are
the ones responsible to ask theright questions, ensure the run
books are in place, ensure theright buttons are pressed, and
so on and so forth.
So as we look into the futureand we see IT getting more
(02:08):
complex, I think sort ofoutsourcing, sort of
non-interesting or sort oftransactional layers managing
infrastructure being one of themis low hanging fruit and we see
a lot of organizations makingthat decision.
The other organizations I'minvolved with I've done some
investing in technologies that Ithink are cool and providing
(02:29):
some consulting around there.
So one company that I've beenworking with is called Sidiation
.
They are focused on providingcybersecurity protection for
physical aircraft and they helpthem sort of get the word out.
The aviation is, prettysurprisingly, is pretty far
behind others that we're allfamiliar with as far as
requirements around vendordiligence and proper security.
(02:50):
So helping them educate and letpeople know what they need to
do to protect their fleets.
Speaker 1 (02:56):
What type of physical security does an aircraft
require?
I know that's a silly questionand obviously Craig and I work
with computers and servers.
So to me, whenever you sayphysical security with aircraft,
I don't know what triggers.
So I'm curious.
Speaker 2 (03:12):
Yeah, it's a really interesting sort of topic,
especially for folks like us whohave come from a new
traditional cybersecuritybackground.
But so when you think about aphysical aircraft, there's a few
attack vectors.
The possibly most alarming oneand most obvious one is that the
radio frequency basedcommunication.
So you have planes and theground and satellite sending RF
(03:38):
type of signals and these RFbased messages are unencrypted
and unauthenticated.
I think the unauthenticatedpieces is probably the more
critical.
First, right, because if youcan transmit a message powerful
enough to be received by anaircraft, the aircraft has an
(03:59):
assumption of trust that it isaccurate information, and so you
can do a lot of nasty things.
In fact, a few months ago andso something like GPS jamming
has been around for a bit.
It's actually getting more sortof talk now because of the
conflicts that are going on andthe fact that it's actively
being used by military.
(04:19):
But more alarming is GPSspoofing, which, from our world,
we go back maybe 15 years andtalk about sort of just TCP or
really just IP spoofing.
Same thing right.
At some point it was this holygrail.
Is it possible?
Oh, it's really difficult.
What we got to work in somecases and then it became very
(04:39):
prevalent, right, and so we'regoing to see the same thing.
In fact, a few months ago,there was a period of about
three weeks where about over 20commercial and business aircraft
were the victims of GPSspoofing, and they in you know,
we're talking 787s, 777s,airbuses, gulfstreams and they
(04:59):
all thought they were about 80nautical miles off from where
they were supposed to be.
One of them almost ended up andI ran by mistake.
That would be bad, and superinteresting is that a few years
ago, somebody had this greatidea to enhance the onboard
inertial positioning systems totake GPS in as another factor to
(05:20):
better ensure that positioningis correct, and it was that
system's always designed to bestandalone, and now, when this
happened, the GPS data came inthe IRS.
That system got super confusedand it caused a cascading
failure.
All these other systems in thecockpit failed, and I'm talking
about the planes that I justmentioned and basically these
(05:41):
planes have to call air trafficcontrol and say where are we and
where should we go, which issurprising.
So radio frequency is one.
The other attack vectors reallysurround physical access to the
aircraft and trust, and so ifyou think about the number of
people that have access to theseplanes, all these
subcontractors and vendors.
(06:01):
Again, there is an assumptionof trust.
If you have access to a device.
Lots of these devices haveethernet ports, usb, some of
them are pretty old PCMCIA, allsorts of different inputs.
If you have access to those,then anything that you plug in
there is assumed to be valid.
You can override the place toconfig all that and when those
(06:23):
types of attacks, you can modifythe guidance systems, the
navigational data, the autopilot, the actual control surfaces,
even in the cabin people think,well, the cabin is separate.
You get into a cabin managementsystem.
You can set off the fire alarm,the fire suppression system,
the plumbing for the toilets.
(06:43):
I mean you can force a plane tonot take off or force it to
make an emergency landing.
So that really comes down tosupply chain and vendor
diligence and all that.
Speaker 3 (06:56):
So there's all sorts of alarms going off in my brain.
I'm thinking like pen testerfor airplanes.
Speaker 2 (07:04):
That's what this company does is a situation.
They're doing vulnerabilityassessments for a physical
aircraft.
Speaker 3 (07:11):
So would it be possible for a hacker to either
board a plane or go into anairport where there's maybe a
busy airport, like Atlanta forexample, where there's a lot of
aircraft kind of taxing in, anduse something like a, like a
flipper zero or some type ofdevice like that, to kind of
either infiltrate or jam signals?
Speaker 2 (07:33):
Oh yeah, absolutely.
I don't know the output powerof you know I'm familiar with
that device, but as far as theproxy me requirement, I don't
know.
I mean, obviously those thingsare all possible, right, it's
not a matter of is ittechnically possible, it's more
a matter of you know how illegalit is, right.
Same thing with, you know,shining the lasers up on the
(07:53):
planes, right, like obviouslyanybody could do that at any
time.
We're just, it's just luckythat it's not being done much.
Speaker 3 (08:01):
So my fear yeah yeah, sorry to interrupt you.
My fear is that there's sometype of spy balloon that has RF
jamming capability, that, oreven drones that are flown with
some type of jammer capabilityto you know.
You know that, all sorts ofalarm bells going off.
(08:21):
Oh, yeah, yeah.
Speaker 1 (08:24):
Who has weaker secu.
Oh, I'm sorry, go ahead.
Go ahead, blake.
I was just curious.
I'm a huge Airbus guy so I'vebeen, I'm on the Airbus train
and I've invested in Airbus,like you know.
Obviously I hold stock inAirbus and I have for I don't
know years now.
So I'm not a huge Boeing guy.
But who has weaker security,would you say Airbus or Boeing.
Speaker 2 (08:47):
Yeah, he's taken me right to the hard questions.
You know it's interesting.
I don't know that I can answerthat we Sidiation works with
both of them, and so whatSidiation really does is they're
doing like deep R&D aroundthese avionics components.
And you know some of theseplanes are fairly old, right,
(09:09):
and so when, when they were putinto production assuming you
know, physical access meansassumed trust, you know that was
.
There was nothing wrong withthat back then, I guess.
But some of thesevulnerabilities like if you, if
I showed them to you on theplatform, they would read like
this like the cabin managementsystem, you know, has a
(09:29):
hard-coded IP of 10.0.0.5.
It's open to defaultcredentials and if you plug into
the Ethernet port, you can youcan, you know, tftp over and
override the configurations andconfigs right, like the types of
vulnerabilities are not, youknow, crazy just because it
happens to be on a plane andunfortunate things if you're
(09:50):
flying on a 30 year old plane,like you're gonna run into those
types of things.
Now, upgrading and updatingthose components can be very
time-consuming, they can't justdo it right.
It could be only two or threeyears to replace a component
like that, and so a lot, of, alot of this sort of mitigation
for those types of things comesdown to security awareness,
(10:12):
training and contextualawareness.
You know, you need to be awareof these exact vulnerabilities
which we know this fleet or thisplane to be susceptible to.
Instead of you know, sort ofoverwhelming them with just all
the possibilities, make it verycontextual.
Speaker 1 (10:29):
Yeah, that makes a lot of sense and you know we we
deal with, obviously we deal alot of computers and devices and
personal devices, businessdevices.
But my follow-up with that isobviously these hackers that
have a motive right.
A lot of the motive that we seein our industry is financial.
So, from your perspective, whatis the motive to you know,
(10:54):
hacking a plane for one, andwhat benefit does that do to an
hack, to a hacker, right like?
There's obviously got to besome motive, right.
Speaker 2 (11:03):
So I did spend a little bit of time.
You know I actually have adiagram around it.
If I wanted to ransomware anaircraft, here's how I would do
it and obviously there isfinancial benefit there, right,
and you know the amount of moneylost when these planes are
sitting on the ground is prettyhigh, you know.
(11:24):
I mean, can you compare it to ahospital being ransomware?
I mean, it's probably close.
I mean, some of these planesyou know cost, you know, 80 to
100 million dollars and you knowwhat does that look like when
they're down for a week.
And the the operators, you knowthey have insurance if an
engine is fails and needs to bereplaced.
You know what is that.
(11:44):
What is the loss of businessamount to for a week?
Loss of business for anaircraft because of some sort of
cyber attack is not somethingthat any insurance company in
the industry is going to coverat all.
Right now it is definitely inthe gray area and I've talked to
some insurance counters thereand they agree.
But if I wanted to, you know,ransomware plane, you know,
(12:05):
think of it.
You know you have these.
You have these vendors who arecoming on and off the planes and
plugging in laptops to allthese systems.
Now, unfortunately, there isalmost no vendor diligence in
this industry.
If I'm, if I'm, if I'm theowner of a fleet and I am and
I'm entrusting a vendor or apartner to perform maintenance
(12:27):
or do updates or replace afailed component, there's no,
there's no.
Hey, fill out the cybersecurity diligence form.
Show me how you and you know,enhance my security, not expose
me to more.
And so those laptops, you know,are they running EDR?
Are they going home and sittingon someone's home network?
You know what is the cybersecurity posture back at the
corporate office?
Look like for these vendorsthat that's not happening.
(12:49):
And so it wouldn't be fairlydifficult to develop a true, to
take a traditional ransomwarestrain, right, that gets into a
traditional IT organizationthrough phishing, social means,
whatever.
And once it's in, what are theydoing?
Now?
They're looking for criticalassets, right, they're designed
to look for SQL databases,whatever.
A critical asset you know.
(13:10):
Swap that critical asset to aavionics vulnerability, you know
, now, now, the ransomwaresitting on these laptops,
dormant, and it's just waitingto see, to see the right
signature on a local land, andwhen it does, it can ransomware
that component.
And so the leap from where weare to sort of a more sort of I
don't know industry specific oruse case specific strain.
Speaker 3 (13:32):
It's not that, it's not that sort of crazy right
have any drills been done liketo simulate attacks like that?
Speaker 2 (13:40):
now.
I mean, unfortunately, the likeI said, industry is pretty far
off.
I'm I just spoke at a, at a, ata large business aviation
conference a few weeks ago,talking about these things, and
so that's what we're just, atthe point where we're educating
as like, hey, these are therisks, this is what's possible,
what's not, and I think, similarto HIPAA and health care, it's
(14:03):
going to take some top down sortof pushing on.
You know, maybe you knowwarning, you know sort of
threatening fines.
So actually in Europe, actuallyprobably Blake, going back to
your maybe maybe going back toyour Airbus comment a little bit
but the Europeans do have acybersecurity for aircraft
regulation going live next year,in 2025, and it's great.
(14:25):
And if you look at it, it readslike what you guys would be
used to.
You know proper monitoring forunauthorized access, proper
securing of making sure they'rerunning the latest firmware,
anything that you would seeunder normal sort of cyber
requirements.
They're requiring that onphysical planes and so that will
help.
The FDA traditionally is alittle bit behind YASA on these,
(14:45):
but it's coming.
Tsa has some requirementsaround it now, but they don't.
They don't cover, you knoweverybody, and they actually
also now just recently, made anannouncement that if you want
FAA funding for airports, youneed to include in your proposal
how you plan on protecting theairport from a cybersecurity
perspective.
So it's starting, but it willtake time.
(15:07):
We just really need to be outthere.
You know advocating, sure I'msorry, blake, real quick.
Speaker 3 (15:15):
So what about DOD, or Department of Defense in
military?
Is there any?
Is it still education there oris there any testing being done?
Speaker 2 (15:24):
Oh yeah, they're like in a completely different frame
of mind.
They are very advanced and theydo a ton of stuff in this area
and they're not like.
Their RF communication is notlike what I'm talking about,
right, so they have their ownstuff and, from what I
understand, they're aware of allthese things and they protect
(15:45):
themselves.
Okay.
Speaker 3 (15:47):
So it's kind of like the traditional trickle down
effect.
You know big companies, bigmilitaries, and then it comes
down.
But you know the system right.
Speaker 2 (15:56):
Yeah, I mean I think it's really ironic and
interesting is, if you thinkabout commercial airlines right,
some of the largest in theworld, all the names that we
know about they spend millionsof dollars a year on
cybersecurity.
They have their own, theyusually have their own socks and
they're paying threatintelligence companies.
You know half a million orthree quarters of a million
(16:19):
dollars for threat intel ontheir organizations to know
what's going on.
Very mature sort of internal.
You know cyber teams, yetironically, their most critical
and price assets the aircraftsthey have no visibility into
those at all, into what's goingon whatsoever.
And so part of what you know asituation is trying to do and
(16:40):
what I'm helping them with is,you know this is, this is a
bridge.
You know the platform thatthey're developing, which is
really it's a real time, it's avulnerability assessment, but
it's also continuous.
You know that can speak, thatcan feed data into the SIM.
You know we can.
You know it already has.
You know Mitre attack framework.
You know notifications.
It can speak sticks taxi.
I mean we need to create abridge between the existing
(17:02):
cybersecurity apparatuses andthese new threats.
In fact, at Optinine we didsomething similar.
Optinine is in the business ofyou know, like I said, managing
backups and disaster recovery,and part of that is we actually
will deploy and manage backupand replication software at our
at our customers, you knowlocations or on their servers
(17:23):
and we manage them.
And we noticed that a lot ofcustomers were coming to us to
consume those services becauseobviously they were they were,
you know, mindful of securityand they wanted a capability to
recover post attack.
And then we realized that whenattackers who are looking to
ransomware an organization getinto organizations and IT
(17:43):
infrastructure these days,they're actually one of the
first things you're doing is avery common pattern in workflow.
One of the first things you'redoing is they're looking for
those backup and replicationtools.
They're seeking them out sothat they can destroy any, any
potential for recovery and,blake to your point, if that's
what your economic benefit is, Iwant to get paid a ransom.
I'm going to do everything inmy power to improve the
(18:05):
likelihood of getting paid.
So, because we knew they werelooking for these backup and
replication tools, one of thethings we did was we built an ad
, we built this add-on to ouroffering, where we would run the
backup software configurationitself through machine learning
on our side and we would lookfor anomalies and look for
suspicious activity.
(18:26):
If the end users maybe changetheir retention policy twice a
month, it may change us toencryption once a week, change
job definitions and all of asudden in one day we see a bunch
of jobs deleted and otherchanges.
That's suspicious and becausethose things are happening
before the ransomware takesplace, it would be a predictor
(18:47):
of a ransomware attack.
And so we built that andproductized it and we tied it
into our service that if andwhen we saw that we can
automatically air gap theoffsite backups or DR or we can,
we built an API, we feed itinto the client's SIM or the
RMSP partner's SIM, and again, Ithink you have.
So it's like very it's a verysort of similar use case to the
(19:11):
aircraft.
You have this new attack vectorthat maybe it's been around for
a long time like backup service.
It's been around for a while,airplane's been around for a
while, but all of a sudden it'san attack vector that was not
encompassed by this cyber team.
Now it's being exploited and weneed to sort of build that
bridge.
Speaker 1 (19:31):
Yeah, I'm surprised, honestly, the FAA doesn't have
regulations behind this, likesome type of compliance mandates
that say, hey, if we're goingto operate in our airspace, you
have to go, like we see it in,obviously, data centers,
endpoints, cmse, yeah, yeah,yeah, any type of cyber
infrastructure.
We see these mandates alreadyexisting.
(19:52):
But the airline industry I meanit's a huge portion of our
economy, right.
So travel, the airline industry, I mean I don't even know how
much, I mean it's billions andbillions of dollars, right of
the sector that just goesunnoticed, uncared for.
I'm so surprised there's notmandates around that.
(20:14):
And so for you, I'm curious,you said it's coming right.
You did say that.
So what would those mandateslook like for you?
If you had a golden grail ofmandates, what do you think they
would include?
Speaker 2 (20:31):
Well, so you know, if you look at what IASA, which is
the European FAA, essentiallyput out, you know it's exactly
what you're saying.
We are mandating operators.
And someone asked me this theother day.
They said is it aircraft thatare registered within Europe or
that land within Europe?
(20:52):
I said, you know that's areally good question and I don't
know that there's an answer forthat yet.
But that has huge impact, right, because you know now it's like
you have every operator in theworld and every commercial
operator needs to comply.
Then at that point and you'renot just going to comply when
you land, you need to complyyour fleets fully.
But the requirements that IASAis putting out, which is called
(21:13):
the PartIS and it goes live inOctober of 25.
And I'll read them to you.
You know, and again it readsvery similar to what you know,
what you know our traditionalindustries have been talking
about for a while maintainingthe security of an aircraft
system through their lifecycle,vulnerability management,
identifying the sessing andmitigating vulnerabilities in
aircraft systems, securityawareness, training, protecting
(21:33):
the integrity and availabilityof aircraft system.
And that's a fun one, right?
I used to have a lot of funwith that one with HIPAA,
because HIPAA also spoke aboutavailability of data, which and
when I was really focused onselling disaster recovery we
would use that.
We'd say, hey, hipaa is notonly about you know people
(21:54):
stealing your data, but ifsomeone can cause your system to
go down and make that patientdata unavailable, that's a HIPAA
violation.
If you're, if you're, if youhave downtime, your bio and you
know doctors can't get thepatient data, that's a violation
.
So that's an interesting one.
The other ones, back to IASA,are ensuring the confidentiality
of aircraft data monitoring,aircraft systems for sign up,
(22:15):
unauthorized access or activity,aircraft incident response,
implementing measures tomitigate risk.
So, again, like very sort oftraditional, you know table
sticks type of requirements.
But the issue is, you know theword aircraft shows up in almost
all of these, right, and sothat's the rub there's not many
tools and systems that are outthere designed for that.
Speaker 1 (22:37):
I also see a web of jurisdictional conflicts, right?
So let's just say for example,an American airplane is flying
within the borders of Europe andsomething happens within the
borders of Europe, who hasjurisdictional authority over
that plane to investigate sadbreach?
(22:58):
You know what I mean.
Like it just, yeah, it becomesthis web of entanglement.
Speaker 3 (23:03):
I'm also envisioning some type of, you know, fly by a
hostile country and some typeof almost EMP, but specific for
aircraft, you know, like a newcyber weapon aimed at aviation.
Speaker 2 (23:19):
Yeah, I mean like so all of this stuff can happen,
you know, obviously in the airand in the sky In fact.
In fact, one of the RF systemsthat is susceptible to this is
called AVSB and basically justpositioning data and interesting
thing is, all the planesactually it's now mandated that
(23:39):
the planes do this.
So if you there's actually somepretty cool sites out there,
like if you go to ADSB exchangeor flight or flight tracker,
which is a really cool app youcan install on your phone, you
might have those right now.
They're awesome, they haveaugmented reality.
You can just point your phoneat any plane you see flying past
in the sky.
It tells you the tail number,it tells you where it came from,
where it's going really coolstuff.
(24:00):
But if you look in the cornerbehind me, I have a little, I
have a little radio there.
I'm participating in this ADSBexchange.
You go to the website.
It shows you a global map ofwhere every single plane is in
the world right now and that'sall.
That's all hobbyists like methat are that are sort of
contributing to this network.
It's like SETI and it's cool.
(24:20):
My little radio back here.
I can.
I can receive signals within300 miles.
If I can look at just my map,it's actually awesome.
It's a little Raspberry Pi witha $50 USB radio.
It's not a lot of fun, butanyway, the planes all put out
these signals and so that's cool.
Here's where I am.
One of the interesting thingsis that there's this collision
(24:41):
avoidance system where theplanes receive the signals from
the other planes in the area andthe planes actually speak to
each other and they basicallywill say they form this
consensus it looks like we'regoing to, it looks like we're
going to collide, I'll go, I'llgo up, you go down, I'll go left
, you go right.
And these messages arebasically shown to the pilots
(25:06):
like hey, your, your collisionavoidance system is going off.
We recommend that.
You know we want to move tothis position and we want to do
this.
Press the button.
And so very easy to send a fakemessage and cause and cause
that, cause that and cause theplane to move or change position
.
Speaker 1 (25:23):
I'm really curious, so something that I know.
This is more kind of contentfocused, but you know, obviously
, when the Super Bowl washappening and you know,
obviously Taylor Swift wasflying across the ocean and
people were tracking her flights, and then now you see there's
(25:44):
this young guy can't think ofhis name, but I'm sure you know
the young guy who's trackingcelebrity jets and posting that
information Tracking Elon Muskat one point.
Yeah, same kid.
So something that nobody reallytalks about and I'm curious to
get your take on is transparencyof of this information right?
(26:06):
Because they're they're usingfederal airspace, right, they're
using federal tax dollars,obviously, and so there has to
be some type of window for thepublic.
Where, where do you define thatRight?
Speaker 2 (26:19):
Well, so that's what's actually happening, right
?
So if you go onto these sitesyou can see all the planes and
you can see their tail numbers,the, the FAA registered tail
number.
And if you go to the FAA'swebsite you can look up any tail
number.
It'll tell you what type ofaircraft it is, give you some
registration info and give youownership and typically what,
(26:40):
what is done to sort of to sortof obfuscate the ownership in
the.
You know, I don't, I think thecommercial operators, they don't
care, you know, it's like theyjust put it out there.
But definitely in the businessworld side, an LLC, a new LLC,
is created per aircraft andthat's sort of like the, the
paywall that you can't getbehind, and so you don't
(27:01):
necessarily know who the LLC.
I mean, you know, ironicallyenough sometimes, that now you
can go digging and you can lookat the LLC and you look at the
address and it's fairly, youknow, like I saw one that you
know typically they'll put likethe initials of the company.
You don't need to.
But that's the thing.
If you can, once you get thename of the LLC, if you can
figure out who owns that LLC orwhat it's related to, now you
(27:23):
know who's playing it is.
Now, what can they do?
I'm sure there's a way to.
Maybe, I don't know, maybe youcan request to change your tail
number, maybe you change the LLC.
But once someone has thatassociation, once you can get
from tail number to kind ofowner they are the operators.
Now mandate to put out thesesignals of here's, here's where
(27:44):
I am right now, here's my tailand here's my position, and then
it's trackable.
I think and that's a thing,that's an interesting thing Like
it's like you know people.
I think the person who wastracking Taylor Swift, you know
they sent him a cease and desist, right, and they sent him all
this.
Like we're going to sue youbecause you're putting her, like
, at risk, and all this.
But meanwhile, you're right,it's publicly available
(28:06):
information.
He's just bundling it up in away that's easier for folks to
see.
Speaker 1 (28:11):
And I'm assuming you believe in that ability to do
that right, I mean.
Speaker 2 (28:18):
I don't know, I haven't really thought about it
much.
I mean, on one hand it's youknow it is it's it's related to
federal government and this andthat and taxpayer dollars.
On the other hand, it does makeit easier right to conduct
these attacks.
Speaker 3 (28:32):
But I wonder if it needs to stay public.
Speaker 2 (28:36):
Well, yeah, well, the tail number is.
You know, the tail number isjust a number, right?
I think maybe the registrationinformation right, that's what I
mean.
Yeah, maybe not showing theowner or maybe, you know, maybe
that has to be behind like afreedom of information act
request or something that makesit more difficult.
Speaker 1 (28:58):
We're starting to see a lot of.
You know we talk about liketrust lists, like zero trust
frameworks, a lot, and you knowthere seems to be kind of a
divide of people that say no,zero trust isn't the way, and
people saying zero trust is thefuture.
I'm curious.
I could tell by your facialexpression you have a few things
(29:20):
to say.
Speaker 2 (29:23):
Zero trust has been, you know, overly it's turned
into this overhyped marketingterm.
Look 15, 20 years ago, you know, in our offices in the optinine
at that point it was Web Airoffices we had a whole bunch of
employees, we were techcompanies like it's not a fair
(29:43):
example, but we wanted to secureour staff and our people and
ensure that, you know, there wasno data leakage.
So every employee was put intheir own VLAN and when they VP
and in, they ended up in thatsame employee VLAN and so there
was segmentation.
They were not on a shared layertwo network and it was that was
(30:04):
.
You know, we were doing zerotrust without having a fancy
name for it, and that's whatbothers me.
I think that you know going.
You just sort of I worry thatthere are business owners that
are out there who read the news,see these stories about
ransomware and basically intheir head they're like well,
(30:26):
I'm okay because I buy backupsor I have a disaster recovery,
or I pay the security company totake care of everything for me,
and there's all these likethere's so many bad assumptions
related to cloud and securitythat people have a false sense
of security and they just sortof discount it and, as you guys
know, this is all multi-layered.
There's no, there's no.
(30:47):
If I have X, then I'm secure.
And I think we fall into thattrap with zero trust.
We subscribe to zero trust,therefore we're all set, we can
ignore everything else.
And that's what scares me isthe marketing aspect of it.
There's a company that isfocused on cybersecurity for the
space vertical, for digitalinfrastructure and space, and so
(31:08):
there's an AWS snowball, which,if you don't know, is a
glorified Raspberry Pi computedevice and it's an edge.
It's okay, it's an AWS edgecompute device, but under the
surface it's pretty much aRaspberry Pi.
Anyway, there's one of those onthe space station, and so, from
a marketing perspective, it'slike whoa, we have edge compute
(31:29):
in space.
You know we can conductcomputational things in space.
We have public cloud in space,raspberry Pi, and that's cool.
Like you got to start somewhere.
But then this other companycame along and says hey, we're
doing zero trust in space.
So, marketing perspective, Ithink it's great.
I would have done the sameexact thing, but we got to be
careful, you know.
So do I believe in your trustprinciples?
(31:51):
Yes, is it to be all into all?
Speaker 1 (31:53):
No, that's kind of funny to me.
Obviously, we want to talkabout the future.
Right, I know you don't have acrystal ball, but obviously you
kind of seems like you have apulse on where the future of
cybersecurity is heading.
Is there any type of excitingdevelopments that you feel like
(32:15):
that are happening now that maybe game changing or
groundbreaking in the future?
Speaker 2 (32:23):
Well, you know, I think I said at the beginning,
but one of the things that alsoscares me is the fact that if
you look at the role of ITmanagers, of CIOs, vp of
infrastructure, whatever youknow, the amount of sort of
responsibility put on theirplates year over year is
(32:43):
increasing and, in manyorganizations, smaller.
Obviously.
There's typically not aseparate sort of security
apparatus there than tasked withowning all the security stuff
as well, and I think one of thethings that a lot of those folks
in those positions don'trealize is part of their job is
to manage complexity group, isto have a focus on ensuring the
(33:04):
most simplest architecture thatthey can find which still
satisfies the business needs andprovide some level of
flexibility.
That should be one of theirgoals, but I don't think that
they're really thinking that way, and so we end up with this
vast sprawl that we're all awareof, right?
We end up with cloud sprawl.
We end up with, if you look at,something like SASE, right,
(33:27):
another great marketing term.
Thank you, gartner is cool, butit's not one product, it's like
50 products, and so people needto like really focus on
simplifying their environment,because the more complex it is,
obviously the harder it's goingto be to manage, monitor, secure
and scale it right, and itbecomes almost impossible, and
(33:48):
so we need to take a very activeapproach on managing complexity
.
If that's not done, it willalmost become impossible.
And again, I think that alsomeans the outlook is good for
managed vendors, mssps, managedsecurity vendors, managed cloud
vendors, all that and so I thinkwe're going to see, in the
(34:08):
future, outsourcing to best andbreed becoming much more common,
because, as things get morecomplex which they will it's
going to be almost impossiblefor internal teams to do it.
Speaker 3 (34:22):
I think, by the way, I think it's well-heating fruit.
Speaker 2 (34:24):
I think if you have remediation list of 50, you
don't like, hey, I'm just goingto give it to my vendor.
Yeah, I have spent some timelooking at what's happening with
digital infrastructure in space.
It's just an interest of mine.
I think it's just super, supercool to geek out on Space-based
data center, space-based edgecompute, space-based
(34:47):
connectivity.
There's a company, actually,that was a great launch
Yesterday.
It was a SpaceX ridesharelaunch, the first of this year.
The rideshare launches areawesome because they're
typically like 100.
I looked at my LinkedIn.
There was like 30 differentcompanies that were in space.
We made it because they're allin the same rideshare.
But it was a company that'sdoing cell phone towers in space
(35:10):
, direct to device.
I'm on my normal iPhone I don'twant Android and I have cell
phone access because I'mdirectly connected to a cell
phone tower in space.
How cool is that?
Now you think about where's thecontent?
Well, why not just put it inspace, in the space data center,
which gets free power and freecooling?
Is it going to happen tomorrow?
(35:31):
No, but I think it's super funto talk about.
That.
All needs to be secured Now.
There's a lot of optical links.
Now all the space-basedconnectivity is optical in
nature.
Amazon Kuiper is already doing100 gig satellite to satellite,
spacex is doing satellite tosatellite.
Now how do you secure that?
(35:52):
I don't know To me.
Now, going back to complexity,look at the increased complexity
there and now apply yourcybersecurity frameworks to that
.
Sorry, go ahead.
Speaker 1 (36:09):
No, I was just sorry.
I had a really quick follow-up.
It brings up a lot of thoughtsto my mind Now.
I haven't seen any mandates orframeworks around satellite
security.
Yeah.
Speaker 2 (36:24):
People are talking about.
I mean, within the satelliteindustry there's like a subgroup
.
But again, going back to radiofrequency communication, a lot
of it has been and I think that,going back to your question
about aviation and the lack ofrequirements, a lot of it's been
security by obscurity and thefact that these things were,
from an engineering perspective,very difficult to do.
(36:44):
But it's amazing to see howquickly it's gone from theory to
active exploitation in the wild.
I'll give you another examplethat touches on space and
security and even complexity isthere's a company that's spun
out of Google I don't know howto pronounce her name.
It's called Al Yara, but if youthink you guys are familiar
(37:06):
with SD-WAN, the capability ofoverlaying on top of multiple
internet connections and allthat.
So what this company does isthey created something called
like temporal space software tofind networking, like they made
up a really co-acronym.
Then their focus is on meshing,is on taking terrestrial fiber
connectivity, terrestrial5G-based connectivity, multiple
(37:32):
satellite operator connectionsand creating a mesh network.
That is creating an overlaidmesh experience where, if
satellites are blown out of thesky, if your network is cut,
whatever your connectivity canmove from one part to the other
with no disruption at all.
(37:52):
To me, it's super cool.
It's something that we didn'teven think we needed, but now,
as these new options forconnectivity become available,
we're going to start using themNow.
We need a way to manage thecomplexity Now.
How do we ensure security?
How do we ensure securityassurances?
As we go from platform toplatform, I think there's always
(38:15):
new problems to solve as weforce ourselves.
It's almost like self-effortingprophecy New technology we
never knew we needed it, but nowthat we see it, we want to use
it, and so we're going to use itNow.
We just made our lives morecomplex and now we have to
secure the more complex reality.
Speaker 1 (38:36):
Yeah, yeah.
Well, we went down the rabbithole of space.
We went down the rabbit hole ofaviation.
We talked briefly on Cloud.
Obviously a part of you joiningour podcast, obviously you're
tapping into our audience andour viewership and our listener
base.
Is there anything We'd like toobviously give you the platform
(38:59):
here.
Is there anything that you feellike we didn't talk about that
maybe you had on your mind?
Speaker 2 (39:08):
Well, I would say, just going back to the comment
about assumptions, don't assumeanything.
A lot of people like to checkthe box around backups, disaster
recovery and again, I think themost important thing that an
organization can answer himselfis do we have an appetite to
take ownership andaccountability of managing X, y
(39:28):
and Z, of being responsible thatwe've set up our AWS account
the right way and that wechecked all the boxes?
Do we want to be on the hook?
Do we want to be on the hook toensure that our disaster
recovery configuration isworking properly, or would we
rather just sign a contract forit and hold a vendor accountable
to an SLA?
And I think people don'trealize.
When you think about managedservices I think you guys have
(39:50):
similar services is you're notbuying bits and bytes or X
amount of storage.
You're buying performance, likewith Optinine.
You're entering into a contractthat we are going to ensure
that your disaster recoveryinfrastructure is up and running
with the specified RTO ofrecovery time and that your data
is no longer than X amount old.
(40:11):
And if we happen to be usingthe wrong hardware
infrastructure on our side toget that job done, well then
it's on us to spend any amountof time or any investments to
ensure that we upgrade so thatwe're meeting the performance
requirements of the contract.
And so the first question iswhat do we want our IT folks
(40:33):
managing infrastructure andsecurity and cloud and backups
in DR or do we want them focusedon adding value to the business
?
That is super important.
By the way, I've worked withmany very large organizations
who totally have the technicalcapabilities and the teams to do
all that, but they've made theconscious decision of we don't
want to be on the hook for it.
We'd rather have a contract andsue someone to get to that, to
(40:56):
be responsible for it.
And so I would say that toeverybody.
Think about that and also thinkabout the assumptions that you
might be making of we're goodbecause and then talk to a
vendor Optinine is great atmanaged disaster recovery,
backups, managing cloud,especially with what's going on
with Broadcom and VMware rightnow.
(41:16):
I don't know if you guys arefollowing that.
Yeah, yeah, it's a mess.
I know it's going to cause aton of consolidation.
I mean that was a really goodtime If you were teetering.
Well, maybe should we keeprunning our own VMware.
Should we keep running our ownhardware One of the cool things
that Optinine does is we runmanaged VMware private clouds
(41:37):
and so we can move your existingVMware-based infrastructure to
keep it on VMware.
Our pricing is much better thanwhat your renewals are coming
in at Integrate to your existingnetwork and adhere to your
existing security framework sothe best of both worlds.
So, yeah, those are interestingthings I think to put out there
for Optinine.
(41:57):
And then myself I'm involvedthere.
I'm also doing some consulting,so if there's anything I've
mentioned that is interesting,feel free to hit me up.
But, as you can tell, I love tochat about these things.
Speaker 1 (42:08):
Yeah, yeah.
Tell our listeners how they canreach you, how they can
communicate with you.
What's the best means to makecontact to you?
Speaker 2 (42:16):
My personal website is 10forwardai number
10forwardai or find me onLinkedIn.
Speaker 1 (42:23):
Yeah, we'll find it and we'll drop some links here
in the description.
Awesome, I think that's allthat I had, craig, any.
Speaker 3 (42:32):
No, I think that was great.
So one last question I had onthe Optinine Do you support most
of the modern regulations?
I know you mentioned HIPAAcompliance, assuming that maybe
you're achieving or headedtowards CMMC compliance.
Is there anything that you guysdon't do or that you like in a
(42:55):
certain regulation or vertical?
Speaker 2 (42:59):
Yeah, I mean, is there anything we don't do?
Well, no, we do all of them.
If it's FedRAMP, that's theonly one that's a real fun one
to talk about.
But when we do FedRAMP, we liketo partner with AWS, govcloud.
Besides that caveat, we do allthe rest, and what we do and our
strategy around compliance iswe've taken our SOC2 audit and
(43:22):
we've added all of theadditional frameworks and we
added a section that shows howwe demonstrate how we comply
with all those and we map themback to our SOC2.
And we also let the client knowhey, for this specific
regulation, this one's on you.
And so we are mapping to CMMCand to ITAR and CJIS and HIPAA
(43:45):
and GDPR and probably 50 more.
Speaker 1 (43:50):
I should make you both aware of this.
It's always so annoying for us,but I mean, we find some fun in
it.
Speaker 2 (43:59):
Yeah, I saw CMMC on your website and I thought
that's like a super interestingone where it went, where it's
heading and, to me, what's goingto happen in the aviation
industry from a sort ofsubcontractor perspective.
I think it's going to look verysimilar to what's going on with
CMMC right now.
Speaker 1 (44:15):
Yeah, cmmc is our bread and butter.
Craig and I are both CMMCcertified.
I'm an RP, craig's an RP andwe're an RPO, so that's kind of
our bread and butter for sure.
Awesome.
Speaker 2 (44:29):
Well, thanks for your time.
Thank you.
Speaker 1 (44:32):
Yeah, thank you so much for coming on.
We appreciate the opportunityto speak to you and I'm sure we
will definitely stay in touchand we'll definitely see you,
probably likely in the future.
We will follow up and make surethat we check in on you and our
listeners as well.
We'll ask you back for updatesand, yeah, looking forward to
(44:52):
doing that with you.
Speaker 2 (44:54):
Awesome guys.
Thank you for the time.
Appreciate it, Thank you somuch.
Thank you.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.