November 2, 2022 • 11 mins
Have you ever heard or wondered about endpoint security or operational technology (OT)? Listen to SNC’s former Director of Cyber Programs Pete Fischer talk about how OT and cybersecurity impact your daily life.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Ariel Stenger (00:00):
Hello, and welcome to this episode of You
got hacked, a podcast producedby Sierra Nevada Corporation's
cybersecurity team. On You GotHacked, we focus on
cybersecurity issues, currentevents and technology solutions
specific to protectingOperational Technology at the
endpoint to make you, yourfamily and your community
smarter, safer and more securefrom the ever-evolving cyber
(00:22):
threat landscape. I'm your host,Ariel Stenger. So, today I'm
meeting with one of my mentorswho doubles as my boss, Pete
Fischer. Hello, welcome.
Peter Fischer (00:32):
Hi. Thanks for having me.
Ariel Stenger (00:34):
Thanks for joining us today. So I'm hoping
to pick your brain and learnmore about this thing called
endpoint security. I enter airquotes here, endpoint security,
what is it? What does it mean?Why does it matter? And really
trying to figure out how doesthis impact utilities and
critical infrastructure? I wasalso kind of thinking are
(00:55):
endpoint, is endpoint securitytied to smart devices and these
things that are all over ourhouse pretty ubiquitous, whether
it's an Alexa or google home atyour house, just kind of tying
all this together in the cyberworld, helping us understand
what this is. So before we getstarted, Pete, can you give
yourself a brief introduction?
Peter Fischer (01:16):
Yeah, thank you. So, Pete Fisher, I am the senior
director of cybersecurityprograms at Sierra Nevada
Corporation. My role is toproduce novel products, and
deliver solutions to ourcustomers to protect their
critical systems. One of the,one of the key ways that we do
(01:37):
this is a product we have calledBinary Armor. And I'm sure we're
gonna get into it a little bitlater. Binary armor is one of
these endpoints cybersecuritydevices that you talked about.
And so we deliver Binary Armorand we also deliver a bunch of
other products that again, helppeople protect against critical
(01:58):
threats.
Ariel Stenger (02:00):
Yes, it's interesting. It's interesting
work. And I love working on theteam. But if I can ask, how did
you, how did you get intosoftware engineering? I mean, I
imagine you as a, as a littlekid, maybe was, were not
dreaming of working as asoftware engineer at, the whole
time. So tell us a little bitabout your story and how you
came to where you are now?
Peter Fischer (02:19):
Sure, dialing the clock way back,
Ariel Stenger (02:22):
like 100 years?
Peter Fischer (02:25):
Not quite that far back in the neighborhood.
Yeah, originally, I was, Iwas...so, so my career spanned a
couple of different phases.First phase was actually
doing... So I have an electricalengineering degree, actually not
a software degree. So first wasdoing Application Engineering,
(02:46):
and, and work in the field. Thatwas where I started my career.
And so then that, that informedme a lot on problem solving. It
was a great, great first job, Ithen moved to, to a role where I
had the opportunity to startdelivering embedded software and
(03:07):
embedded solutions and be the,one of the key, one of the key
software engineers. So I tookthat, and I spent 10 years
developing, again, as a as aengineer in developing software
products, and embedding thoseproducts into devices. One of
the interesting things that Ilearned through that process was
(03:27):
security or lack thereof. Andthis was in the in the '90s. If
you recall, when, you know, itwas a little bit wild west,
everything was happening.Everything was getting
connected, the Internet was kindof raw, we were learning a lot
of lessons about what to do andwhat not to do. And it was
really all about, hey, let'shave things connected, right?
(03:49):
Let's allow people to do thingseasier. And then the security,
of course, started becoming abigger and bigger part of that.
So fast forward to moving on toSierra Nevada Corporation for
the last 14 years. It's kind ofbeen building on all those
lessons learned of those firsttwo roles that I had, and then
taking it and applying it to aDOD space, and then a
(04:12):
cybersecurity space over thelast, you know, seven or eight
years, really focusing on notjust that allow things to work,
but allow them to work safelyand securely. And in fact, then
just focus on how do I helpother people on that journey of
making their products here?
Ariel Stenger (04:32):
That's excellent. That's so interesting to hear.
You started kind of in the fieldwith an electrical engineering
background and moved all the waythrough the internet of things
as the internet of things was,was originally rooms full of
computers, all the way throughtiny little phones that are
that, are in our hands andsensors kind of all over the
network. So maybe let's juststart here with what is an
(04:54):
endpoint and kind of what is theendpoint security piece of this?
Peter Fischer (04:58):
Sure. So um, only do that when we give our classic
description of the world. Welook at it as as having two
things. There's IT, or there'swhat you and I use for
electronics. And then there'sthe machines.
Ariel Stenger (05:12):
Okay.
Peter Fischer (05:13):
So there's people and machines. SNC and Binary
Armor is really focused on thelatter. So endpoints apply in
both cases. You and I probablyhave heard of endpoints for our
phones, a phone is an example ofthe IT side of an endpoint. On
the machine side, an endpointcould be a transformer at a
(05:34):
substation, it could be a valve,it could be a PLC that controls
like in like in Florida, itcould be a PLC, that controls
the amount of chemicals that canput into your water.
Ariel Stenger (05:45):
So a PLC is a programmable logic controler.
What that is is generalsomething that controls an
endpoint cybersecurity device ora machine that sits out at the
Excellent. So, so if I had to draw the same sort
Peter Fischer (05:57):
It can be a lot of things, but it is the it is
endpoint.
of parallel between this IT,information technology and OT,
the last device that isresponsible, in our world, it is
the devices and systems that areresponsible for taking actions
operational technology, on myphone, if I, if I have this IT
and for, and for being thatinfrastructure that that we rely
device, and I need security onit as the endpoint, that'd be
on.
(06:31):
something like my iPhone hasface recognition and a password,
what would be the equivalent onthe OT or the machine side?
Sure. So a couple of different things. There's on
your phone, what you're reallyworried about, and IT in
general, you're worried aboutdata, you're worried about
(06:53):
somebody getting access to yourphone, and taking some
information off that phone. Youknow maybe it's your contacts,
maybe it's access to youremails,
Ariel Stenger (07:01):
Some picture from spring break.
Peter Fischer (07:05):
Exactly. That picture. So it's, it's all of
those things, but, but in allseriousness, your bank account,
having access to your passwordsand being able to do that kind
of thing. That is what you'reworried in an IT perspective. In
an OT perspective, you'reworried about, so so there isn't
(07:26):
information to steal, you'reworried about actions. You're
worried these machines areresponsible for providing us
electricity in our homes,providing us clean water, fuel.
We saw with Colonial Pipelineright when a, when we have a, a
(07:48):
shutdown to an operationaltechnology system, it can have
huge real world impacts.
Ariel Stenger (07:55):
In 2021, the Colonial Pipeline, an oil
(08:30):
pipeline system, was hacked byan alleged group based in
eastern Europe. This ended upcausing a six day shutdown,
absolute panic about buyinggasoline in gas stations,
airlines being completelywithout fuel and just real
general hysteria across the eastcoast. There are many places
that had to find fuel from othercompanies which led to a
shortage and an incredibleincrease in price. The hackers
who were responsible for thisdemanded a cash payout or
ransom, which Colonial ended uppaying. With the Colonial
Pipeline hack we saw therepercussions first hand of how
essential and vulnerable ourcritical infrastructure really
is. This malicious attackactually ended up hurting the
company and impacted the d
Peter Fischer (08:44):
We are talking about protecting those machines.
So they continue to operate, andthey continue to deliver what
they were built to deliver. So,you are protecting against
actions that might damage ordisrupt how those systems
operate.
Ariel Stenger (09:01):
Okay, so from this, this sort of context here,
it sounds like a lot of thesemachines and, and systems are
really controlled by, by publicorganizations, like you
mentioned utilities and water.From a security and a
cybersecurity perspective, whatdo normal everyday citizens,
what kind of tools do we have tomake sure that these systems
(09:25):
are, are protected adequately?
Peter Fischer (09:27):
It's not necessarily our role per se, to
protect those critical systems.I mean, it is our role to help,
you know, incentivize, if youwill, our utilities, for
example, the infrastructure billthat was passed a while ago. It
has incentives for utilities andfor others, to put hardened
(09:47):
cybersecurity...in fact, I thinkthey even they even mentioned
endpoint cybersecurityprotecting those critical
systems. So the best we can dois to incentivize and align
protecting our systems with thebest interest of those
utilities.
Ariel Stenger (10:04):
Perfect. So, everyday people like you and I,
without our SNC hats on, withoutour Binary Armor hats on, we
could talk to local, localofficials, local elected
officials, vote with, with eachelection based on people who
also share this sort ofalignment and protecting
critical infrastructure.
Peter Fischer (10:23):
Yeah.
Ariel Stenger (10:24):
Yeah, that's interesting is are there any
other things that you would youwould recommend someone to do,
or actions that someone couldtake in order to help
incentivize at the, at the localor the municipal level?
Peter Fischer (10:36):
They can certainly learn. I mean, become
educated. BinaryArmor.com is agreat way to go to our website,
learn about operationaltechnology, learn about some of
the things you can do. It'sinformation, reach out to us if
you'd like to ask about somespecific, but get yourself
informed so that you're aninformed citizen. You can ask
(10:59):
the right questions, and you canfind out more about, you know,
all these things that matter toyour daily life.
Ariel Stenger (11:04):
Excellent. Well, thank you for spending time
today with us on You Got Hacked.We look forward to chatting
maybe later in the next season.
Peter Fischer (11:12):
Thank you. Appreciate it.
Ariel Stenger (11:14):
Thank you for listening to this episode of You
Got Hacked, brought to you bySierra Nevada Corporation's
cyber team. For moreinformation, you can visit us
online at sncorp.com. That'ssncorp.com. A special thank you
to our guests and, of course,all of you our listeners. I'm
Ariel Stenger. See you nexttime.
Hello, and welcome to this episode of You
got hacked, a podcast producedby Sierra Nevada Corporation's
cybersecurity team. On You GotHacked, we focus on
cybersecurity issues, currentevents and technology solutions
specific to protectingOperational Technology at the
endpoint to make you, yourfamily and your community
smarter, safer and more securefrom the ever-evolving cyber
(00:22):
threat landscape. I'm your host,Ariel Stenger. So, today I'm
meeting with one of my mentorswho doubles as my boss, Pete
Fischer. Hello, welcome.
Peter Fischer (00:32):
Hi. Thanks for having me.
Ariel Stenger (00:34):
Thanks for joining us today. So I'm hoping
to pick your brain and learnmore about this thing called
endpoint security. I enter airquotes here, endpoint security,
what is it? What does it mean?Why does it matter? And really
trying to figure out how doesthis impact utilities and
critical infrastructure? I wasalso kind of thinking are
(00:55):
endpoint, is endpoint securitytied to smart devices and these
things that are all over ourhouse pretty ubiquitous, whether
it's an Alexa or google home atyour house, just kind of tying
all this together in the cyberworld, helping us understand
what this is. So before we getstarted, Pete, can you give
yourself a brief introduction?
Peter Fischer (01:16):
Yeah, thank you. So, Pete Fisher, I am the senior
director of cybersecurityprograms at Sierra Nevada
Corporation. My role is toproduce novel products, and
deliver solutions to ourcustomers to protect their
critical systems. One of the,one of the key ways that we do
(01:37):
this is a product we have calledBinary Armor. And I'm sure we're
gonna get into it a little bitlater. Binary armor is one of
these endpoints cybersecuritydevices that you talked about.
And so we deliver Binary Armorand we also deliver a bunch of
other products that again, helppeople protect against critical
(01:58):
threats.
Ariel Stenger (02:00):
Yes, it's interesting. It's interesting
work. And I love working on theteam. But if I can ask, how did
you, how did you get intosoftware engineering? I mean, I
imagine you as a, as a littlekid, maybe was, were not
dreaming of working as asoftware engineer at, the whole
time. So tell us a little bitabout your story and how you
came to where you are now?
Peter Fischer (02:19):
Sure, dialing the clock way back,
Ariel Stenger (02:22):
like 100 years?
Peter Fischer (02:25):
Not quite that far back in the neighborhood.
Yeah, originally, I was, Iwas...so, so my career spanned a
couple of different phases.First phase was actually
doing... So I have an electricalengineering degree, actually not
a software degree. So first wasdoing Application Engineering,
(02:46):
and, and work in the field. Thatwas where I started my career.
And so then that, that informedme a lot on problem solving. It
was a great, great first job, Ithen moved to, to a role where I
had the opportunity to startdelivering embedded software and
(03:07):
embedded solutions and be the,one of the key, one of the key
software engineers. So I tookthat, and I spent 10 years
developing, again, as a as aengineer in developing software
products, and embedding thoseproducts into devices. One of
the interesting things that Ilearned through that process was
(03:27):
security or lack thereof. Andthis was in the in the '90s. If
you recall, when, you know, itwas a little bit wild west,
everything was happening.Everything was getting
connected, the Internet was kindof raw, we were learning a lot
of lessons about what to do andwhat not to do. And it was
really all about, hey, let'shave things connected, right?
(03:49):
Let's allow people to do thingseasier. And then the security,
of course, started becoming abigger and bigger part of that.
So fast forward to moving on toSierra Nevada Corporation for
the last 14 years. It's kind ofbeen building on all those
lessons learned of those firsttwo roles that I had, and then
taking it and applying it to aDOD space, and then a
(04:12):
cybersecurity space over thelast, you know, seven or eight
years, really focusing on notjust that allow things to work,
but allow them to work safelyand securely. And in fact, then
just focus on how do I helpother people on that journey of
making their products here?
Ariel Stenger (04:32):
That's excellent. That's so interesting to hear.
You started kind of in the fieldwith an electrical engineering
background and moved all the waythrough the internet of things
as the internet of things was,was originally rooms full of
computers, all the way throughtiny little phones that are
that, are in our hands andsensors kind of all over the
network. So maybe let's juststart here with what is an
(04:54):
endpoint and kind of what is theendpoint security piece of this?
Peter Fischer (04:58):
Sure. So um, only do that when we give our classic
description of the world. Welook at it as as having two
things. There's IT, or there'swhat you and I use for
electronics. And then there'sthe machines.
Ariel Stenger (05:12):
Okay.
Peter Fischer (05:13):
So there's people and machines. SNC and Binary
Armor is really focused on thelatter. So endpoints apply in
both cases. You and I probablyhave heard of endpoints for our
phones, a phone is an example ofthe IT side of an endpoint. On
the machine side, an endpointcould be a transformer at a
(05:34):
substation, it could be a valve,it could be a PLC that controls
like in like in Florida, itcould be a PLC, that controls
the amount of chemicals that canput into your water.
Ariel Stenger (05:45):
So a PLC is a programmable logic controler.
What that is is generalsomething that controls an
endpoint cybersecurity device ora machine that sits out at the
Excellent. So, so if I had to draw the same sort
Peter Fischer (05:57):
It can be a lot of things, but it is the it is
endpoint.
of parallel between this IT,information technology and OT,
the last device that isresponsible, in our world, it is
the devices and systems that areresponsible for taking actions
operational technology, on myphone, if I, if I have this IT
and for, and for being thatinfrastructure that that we rely
device, and I need security onit as the endpoint, that'd be
on.
(06:31):
something like my iPhone hasface recognition and a password,
what would be the equivalent onthe OT or the machine side?
Sure. So a couple of different things. There's on
your phone, what you're reallyworried about, and IT in
general, you're worried aboutdata, you're worried about
(06:53):
somebody getting access to yourphone, and taking some
information off that phone. Youknow maybe it's your contacts,
maybe it's access to youremails,
Ariel Stenger (07:01):
Some picture from spring break.
Peter Fischer (07:05):
Exactly. That picture. So it's, it's all of
those things, but, but in allseriousness, your bank account,
having access to your passwordsand being able to do that kind
of thing. That is what you'reworried in an IT perspective. In
an OT perspective, you'reworried about, so so there isn't
(07:26):
information to steal, you'reworried about actions. You're
worried these machines areresponsible for providing us
electricity in our homes,providing us clean water, fuel.
We saw with Colonial Pipelineright when a, when we have a, a
(07:48):
shutdown to an operationaltechnology system, it can have
huge real world impacts.
Ariel Stenger (07:55):
In 2021, the Colonial Pipeline, an oil
(08:30):
pipeline system, was hacked byan alleged group based in
eastern Europe. This ended upcausing a six day shutdown,
absolute panic about buyinggasoline in gas stations,
airlines being completelywithout fuel and just real
general hysteria across the eastcoast. There are many places
that had to find fuel from othercompanies which led to a
shortage and an incredibleincrease in price. The hackers
who were responsible for thisdemanded a cash payout or
ransom, which Colonial ended uppaying. With the Colonial
Pipeline hack we saw therepercussions first hand of how
essential and vulnerable ourcritical infrastructure really
is. This malicious attackactually ended up hurting the
company and impacted the d
Peter Fischer (08:44):
We are talking about protecting those machines.
So they continue to operate, andthey continue to deliver what
they were built to deliver. So,you are protecting against
actions that might damage ordisrupt how those systems
operate.
Ariel Stenger (09:01):
Okay, so from this, this sort of context here,
it sounds like a lot of thesemachines and, and systems are
really controlled by, by publicorganizations, like you
mentioned utilities and water.From a security and a
cybersecurity perspective, whatdo normal everyday citizens,
what kind of tools do we have tomake sure that these systems
(09:25):
are, are protected adequately?
Peter Fischer (09:27):
It's not necessarily our role per se, to
protect those critical systems.I mean, it is our role to help,
you know, incentivize, if youwill, our utilities, for
example, the infrastructure billthat was passed a while ago. It
has incentives for utilities andfor others, to put hardened
(09:47):
cybersecurity...in fact, I thinkthey even they even mentioned
endpoint cybersecurityprotecting those critical
systems. So the best we can dois to incentivize and align
protecting our systems with thebest interest of those
utilities.
Ariel Stenger (10:04):
Perfect. So, everyday people like you and I,
without our SNC hats on, withoutour Binary Armor hats on, we
could talk to local, localofficials, local elected
officials, vote with, with eachelection based on people who
also share this sort ofalignment and protecting
critical infrastructure.
Peter Fischer (10:23):
Yeah.
Ariel Stenger (10:24):
Yeah, that's interesting is are there any
other things that you would youwould recommend someone to do,
or actions that someone couldtake in order to help
incentivize at the, at the localor the municipal level?
Peter Fischer (10:36):
They can certainly learn. I mean, become
educated. BinaryArmor.com is agreat way to go to our website,
learn about operationaltechnology, learn about some of
the things you can do. It'sinformation, reach out to us if
you'd like to ask about somespecific, but get yourself
informed so that you're aninformed citizen. You can ask
(10:59):
the right questions, and you canfind out more about, you know,
all these things that matter toyour daily life.
Ariel Stenger (11:04):
Excellent. Well, thank you for spending time
today with us on You Got Hacked.We look forward to chatting
maybe later in the next season.
Peter Fischer (11:12):
Thank you. Appreciate it.
Ariel Stenger (11:14):
Thank you for listening to this episode of You
Got Hacked, brought to you bySierra Nevada Corporation's
cyber team. For moreinformation, you can visit us
online at sncorp.com. That'ssncorp.com. A special thank you
to our guests and, of course,all of you our listeners. I'm
Ariel Stenger. See you nexttime.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Nikki Glaser Podcast
Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.