The Sustainability Podcast

Larry O'Brien and Jim Frazer Interview Joel Rakow of Fortium Partners

April 10, 2020 The Smart Cities Team at ARC Advisory Group Season 3 Episode 3
The Sustainability Podcast
Larry O'Brien and Jim Frazer Interview Joel Rakow of Fortium Partners
Show Notes Transcript

In this podcast, we interview Mr. Joel Rakow of Fortium Partners, which consists of a network of world-class technology executives that are hired by Fortium clients in an advisory role.  Joel is a partner in the Los Angeles practice of Fortium Partners. He brings more than 25 years of technology leadership experience in the area of e-crime risk management, which encompasses all elements of both physical security and cybersecurity. Rakow is globally recognized in the field of technology security, having served as an advisor to the Secret Service and Los Angeles Electronic Crimes Task Force and a representative member of the FBI Infragard, Adobe Software’s Advisory Council, and the Receivers Team for the State Courts of California. 

In this episode, we talk about the role of cybersecurity in building automation, the lack of relevant experience in cybersecurity that many workers have at the OT level in today's built environment, and what we must do to address these concerns.  Many of the systems in today's intelligent buildings have the potential to impact human health and safety, particularly in this very vulnerable moment in human history.  The COVID-19 pandemic has brought with it a surge in cyber-crime.  It's time to raise the level of awareness of cybersecurity among OT level workers in today's built environment and get serious about securing our buildings.  

--------------------------------------------------------------------------

Would you like to be a guest on our growing podcast?

If you have an intriguing, thought provoking topic you'd like to discuss on our podcast, please contact our host Jim Frazer

View all the episodes here: https://thesustainabilitypodcast.buzzsprout.com

spk_1:   0:00
Broadcasting from Boston, Massachusetts. The Smart Cities podcast is the only podcast dedicated to all things smart cities. The podcast is the creation of Air Sea Advisory group Smart City Practice. Air Sea advises leading companies, municipalities and governments on technology trends in market dynamics that affect their business and quality of life in their cities. To engage further, please like and share our podcast or reach out directly on Twitter at Smart City a few points or on our website at www dot a r c web dot com. Backslash Industries Backslash Smart dash cities Good

spk_2:   0:49
morning, everyone. This is Larry O'Brien of a R C advisory group, and welcome to another edition of the air. See Smart Cities podcast I have with me here today. Jim Frazer of A R C. Morning, Jim. And also Mr Joel Rico of 40 m partners. 14 partners. I should say s Oh, good morning, Joel.

spk_0:   1:10
Good morning. Nice to talk to you both.

spk_2:   1:13
Yeah, thanks for joining us this morning. So just by way of introduction, I, Jim Frazer and myself are part of the Smart Cities team at Air Sea. We host a lot of these regular smart cities podcasts I am also on the cyber security team at Air Sea. Jim. You want to say a couple of words about yourself, and then we can introduce Joel.

spk_1:   1:33
Sure, we on the vice president's smart cities here at a r C R team covers the nine verticals off smart cities aswell YSL the underlying technology's. Um and, uh, I'm just happy to be here, Larry. Thanks for inviting me.

spk_2:   1:48
Thanks. And Joel.

spk_0:   1:51
So I'm with up 40 in partners. We have 100 c i ose and see. So's around the country. All everyone has held the position in a nationally prominent company from Google and Apple and Sales Forest to Dun and Bradstreet. Allstate Jacobs Engineering, huh? Almost all the companies a recognizable, were around the national firm. I focus on building A I ot and which is a subset of building systems which is coming include building automation and industrial control systems. And the reason I call what I focus on a CZ, the junior varsity of building systems. And it's things like, uh, uh, voice over I p phone, video surveillance, excess control, office building, office machines, elevators, everything left of, um engineered eight back and right position is that it's a kind of not very well covered area. There's no technical organization that really has oversight over it at a very close level. And, uh, there's a lot to be learned. Um, I think from other areas from IittIe can learn and industrial control systems and building automation by what happens in this open unkind of unprotected space.

spk_2:   3:22
Yeah, I think that's an interesting topping, and it's one that we cover it. Air Sea pretty sensibly, too. I don't know if I would call it junior varsity because tow us anyway, um, all those systems that you mentioned, like video surveillance systems and access control and those and those are all part of the o t world of building automation systems, right? I mean, these air systems that have a direct impact on the people that live and work in these buildings, you know, on human safety, you know, when many other factors. So these air essential systems to me at the operating technology level, um that are being affected by this sort of influx of io ti into this world of you know, what was formerly dominated by a lot of these sort of proprietary very isolated kind of systems, right?

spk_0:   4:14
Yeah. Well, I Yeah, okay. I mean, I just use the junior. Adversity just kind of is a metaphor that, you know, the best coaches are not always overlooking this technology. Yeah, one way to think about it.

spk_2:   4:27
Right?

spk_0:   4:28
And it really seems like in looking at the research of cyber attacks that this is the entry point. Uh, this is where, um, certainly nation states gain their foothold inside the perimeter of a company. And then they'll move either, you know, to the right t o i t. Or to the left skate and building automation systems. But more than half, according to the Harvard Business Review, more than half of all cyber attacks on American companies. Um, in the year 2017 they got their initial point of entry through building systems. Then Microsoft came out only a couple of months later. This You know, the research appeared last year. In 2019 Microsoft came out with an I. O. T. Signals and said the three most common systems that, um, successful attacks for American public corporations attacks perpetrated by nation states. And they identified 1400 of them. The top three building systems that they gained entry through were in order voice over I p telephone, video surveillance, the recording component and office machines,

spk_2:   5:55
huh? Yeah, that's obviously a big problem. We see the same problem to an air. See that? The whole topic of cybersecurity, uh, is really not really much discussed or or address within the building automation statement. It's just I think it's just starting to now. You know, we see some some some momentum coming along as faras more stringent controls and, you know, developing worker knowledge in that area and so forth. But you had a pretty interesting article, Um, that they came across on linked in, which is how we originally met. Um, that air, the sort of five game changers for 2020 that are going to sort of, you know, provide more of an impetus towards implementing stricter cyber security controls within building automation. Can you talk a little bit about what you think those five game changes air going to be this year that are going to change the whole picture for us?

spk_0:   6:48
Sure. Well, the 1st 1 is exactly what you said. That we have a clearer understanding of how building systems and building I ot which, again, the university type systems, how they function in this. So we've got the research from, um, uh, Harvard Business Review, and we have the research for Microsoft. Then on closer inspection on these three systems, there's one thing that they all have in common. It's they're all basically driving on analog reality, um, to a digital signal, which then becomes a packet ized for Ethernet transmission. So if you think about this from a strategic point of view as a hacker, this is a place that the systems air largely unprotected. It's a place where there's a two or three points of vulnerability, the translation from analog to digital and then from digital two packets and then actually the point where they enter the the infrastructure of I t. So think about this. We're getting to the signal before it becomes, um, part of I t infrastructure, where all of these vendors who say that they're monitoring for intrusion and for cyber breaches I'm using, you know, the I T. I T technology and I t method. But the hackers air successfully getting their traffic into their before it enters the IittIe infrastructure. And so their traffic looks just like all the other traffic and they can perpetrate. Whatever their you know, the exploit is undetected. And that's how Stuxnet worked Aurora work all the major, sophisticated cyber attacks. Plus, you know, probably dozens of others were not aware of that under the radar. That makes sense.

spk_2:   8:57
It makes sense to me, and yet it's really coming into that that that sort of deep ot level, right? If you're familiar with the Purdue reference model for manufacturing, that's that's level zero level one, right?

spk_0:   9:09
That's right,

spk_2:   9:09
um, which I think is a little bit different, maybe from what we've seen in some of the attacks in the world of manufacturing, where they tend to come in, you know, through upper level networks and sort of drill their way down into Theo T Layer. So it's it's a little bit of ah, different approach.

spk_0:   9:27
Okay, so the problem is that this number one situation that got all clarified but you would say, Well, okay, so let's just pay a little more attention to securing the of these building I ot so it's not so easy to get into the voice over. I p system in the video surveillance in the building machines. But then this comes out in 2019 and says We can't give you a standard for i o. T. There are at least 50 considerations that have to be applied in order to figure out how to. How does how to secure these devices? And of those 50 the configurations are almost all of them have to be done manually because these devices never went through that inter operation period or where all the IittIe devices member interoperability may well, this conference is used to happen well, the folks who developed these coyote devices. Now I'm saying the building of io ti because these folks have been around long before the Internet and they had their practices and their policies on their manufacturing systems and design people. They existed before the Internet, and they didn't change quickly enough. And so a lot of modern and sort of the more contemporary I ot devices are a little more security aware. But these air other companies, these building I ot these get pretty big companies, and it takes him a while to turn your ship around. And even today they're they're marketing things with default passwords. The only 11 user account in those passwords. Oh, if anybody gets that, you know the password they can get in and you can't tell because it doesn't log. And even if it did log, you wouldn't know which of the users was using the same password. Dozens of issues like that firmware can't be monitored. You don't know what's what version of the firmware Sonus just struck out. They said we can't give you a standard, but we can tell you what the considerations are and the types of configurations you have to make big, big revolution. Because everyone in this industry and not I'm not this industry. But every all and user organizations were thinking they could just rely on having missed anus standard apply, apply. And you hear the question Does this comply with, um, with n'est or what? Miss Framework, does this comply with Well, miss it, it isn't gonna happen.

spk_2:   12:17
You have the world of buildings, is a little bit different that we do have some standards activities in the industry that I think apply to buildings. But I've said a lot of times the industry itself hasn't rallied around a standard for cyber security yet, um, were we kind of believe in the I C 64 for three Standard, and there's some efforts going on there. But the industry has not like you said, that they have not adopted officially adopted a standard, right? So that's still a problem

spk_0:   12:42
when they dio remember these systems love These systems are pretty expensive and, you know, they they sort of have a life cycle of 10 15 20 years.

spk_2:   12:51
Yeah, 20 years or more. It always surprises me how old some of the systems are that are installed out there. And that's one of the unique things I think in this segment is. You have this mixture of extremely old systems and this brand new I ot stuff that's coming down and and it makes it difficult to manage if you're at the operational level.

spk_0:   13:11
Yep, those it. Those were two really big game changers. I think that happened last year. So now the 3rd 1 is n'est by identifying their considerations and the configurations, as is basically saying, and we think that this is really important and it 40 we've made a pretty big response to this particular change, they said. It's up to you guys to secure these devices at the device layer at the device itself. Because the eye I tease tools don't you know that just don't They don't work for your systems because your systems were designed without security and central centralized management as a primary design consideration. So we took the response, and I won't go into this very long. But this is kind of proprietary, um, and that we develop what we call the never cry cyber defense for building Hyoty. And it's a It's a method of helping, um, the suppliers of building I ot developed security practices that air commercially viable and being transparent about it. And it's a way to kind of raise the level of security among these building I OT devices. But the third thing really is is that we need to start focusing on the devices themselves, and somebody needs to get out there and climb those ladders and and do that work to secure the devices or do it when it's installed and the controls air not heavy. They're not expensive. They don't take a long time, if you know you're gonna do if you know your system and you know the controls when you're doing the actual installation in the setup, if you know, might add less than 1% of the time for the project deployment. But it will secure the, uh, you know, secure the devices. And so that's the 3rd 1 The the fourth change is that a lot of technology has come to market in 2019. In a critical mass, Thio secure these devices at a network layer. So the beauty is that you have a device layer security and they'll be it. And there is the capability now of a network layer security. And, you know, having two layers of security is it's probably a commercially viable, um waited, you know, to exist in the market and feel like you've done a reasonable job of protecting your systems, although we still have to get to the people when. But we'll get to that in a minute. So

spk_2:   16:10
yeah, that's consistent with, like, a defense in depth approach.

spk_0:   16:14
Yes. Oh, yeah, Theo, Only way that don't think like that. And security, you're gonna you're not gonna be security devices. So some of the cool technology that came out. Thio secure these devices. Um Ah, network level is the software defined network. So you can now gather them all into a virtual network and then apply, um, kind of a firewall, treat it like a firewall and have ah, man in port to get into him, though, that's pretty good. We like that as a solution. The downside of that is, every time you take you replace a device, you change the device, you move it off, you have to kind of update the network defined security. Um, all

spk_2:   17:05
right,

spk_0:   17:06
world So the alternative to that, which is that we think is really beautiful, Andi it in. But probably more expensive is the software defined perimeter, which is kind of the hip protocol where cloaks the identity portion of the I P address but leaves the location of the I P. Address open. So by doing cocaine, the identity, it basically makes the that device invisible to anyone who does not have the encryption key. Um, unclog it to really, really great, um, great things. But now neither of those will solve the problem of the of the voice over I p phone system or the video surveillance or the building machines because none of those really handle the sensors. Because sensors really can't be included in the, um, you know, in a software to find network is generally they don't even have an I p. Address. Um, and what we like for that is the signal. Either the signal isolation where you captured the signal before it goes in to the sensor. And then when it comes out and you make sure that that hasn't been, uh it's intended a ticket for integrity, given that the protocol, whatever protocols air in there, that there's no additional thing going on than the protocols that that air recognized by that sensor monitoring tool. Oh, and we also like this the approach of doing a fingerprint of the sensor so that again you know what? That's what it looks like when it's operating normally. And you comtech check for anomalies. We think those two things they're really, really cool and really will solve the problem. And, um, we like it a lot.

spk_2:   19:12
Yeah, there's a lot of new technologies they think coming that they can address all these different layers of security. But, you know, actually putting them into place and getting people to use them correctly. Like you said that we were talking about this earlier goes back to our our view. Anyway, I know that's your view to of people, processes and technology and the role. You know, all three are interrelated, and you know you can have a lot of good technologies. But if you don't have the right work processes in place or the train people to implement those processes, that that could be a problem. Which is when I think about what is interesting, what's interesting about what you're doing. A. Tw four g m. Is trying to develop that sort of, ah, that people role in the process roll a little bit more a ce faras You know how How did these people deal with these technologies out there and operating environments?

spk_0:   19:58
Right? That's right. And we hope you, through conversations like this that we take advantage of the opportunities that we actually do have. So, for example, with the suppliers of building systems, it's been our experience that they don't readily well, but there's a reticence for them to step up and say, Okay, we need, you know, take care of our cyber security. Ah, practices that we need to improve them. They'd like to, but they don't really know what they're doing. They don't know how to make a good choice. So we think that, uh, for arc, a really good arc advisor is a good role would be to advise that your end user organizations that they should sort of use their market power to notify their suppliers that they need to improve their practices and give them. You know, this is the three or four or five things that we need And, um, and we needed to have to be done and say six months and let us know what you're going to do and if you need some help here, some people who can help you And I think in that way we find about 70% of the building suppliers will raise their practices because they don't want to lose the client as it is a custom. And then the customer gets to decide whether you keep the other ones or they find replacements, too, who have done it. That's one way to get the people who were deploying the building systems and servicing them. That's one way to get them thio canto work of the catalyst and get them to take initiative. The other thing is is, um, the junior varsity, The building I OT ones are typically managed by the Facilities Management group, and they rarely have technical sophistication inside their organization. And so what we like to do is offer them a, um, like a facilities management C i o to, um yeah, on a part time basis and provide that technology leadership. And we think of it in the same way as the CEO has a CFO that really understands finance, finance and accounting and and, uh, and that, um, the facilities manager would have the comparable instead of a CFO would be a facilities management. See, Io, who would, um, take care of the security side of the devices they're pulling in, maintained diplomatic relations with the I T organization and the engineering organization so that there's some, you know, collaboration and coordination. We think that those two things and we've we've got a solution for building I ot uh, and cyber security.

spk_2:   23:06
Yeah. You really need that collaboration between the iittie side and the you know, Teesside. And, uh I mean we talk a lot about this whole issue of convergence a tr C, which is really just another term for, you know, talking about this sort of merging or clashing or wherever you want to put it between the worlds of I t n ot I know that's a big problem in building automation, too, because the skills that's a real different when you look at buildings and I think it's a great idea to to sort of raise the role you know of cybersecurity, specifically the ot level. Andi, think what 40 m is doing? Is this pretty interesting in that regard? So you just have a pool of of sis owes and Cee Io's that you can draw from Thio use as trusted advisors four Cyber security at the OT level. Is that how that works?

spk_0:   23:55
Yeah, I can't say that all of them are interested Cancer and all of them are. All of them are never available. But these air pretty small projects and and there are a number of of, um partners that I have that I have had experience in this area. For example, we have the C i O of L. A Department of water and power. He's been dealing with skater systems and controls and operational technology his whole career. He's totally he's, you know, he's like one of us, Um and he's totally in on this. Um, I've got three or four that have been with energy companies and refineries, water treatment facility. So there there are ones that have that experience entering client understand it. And so as we get project, we bring them in and kind of get them so that they understand it and they understand what the A lot of never really thought about the differences in the cultures that they kind of despair it, Um, but it takes a little bit of orientation and a couple of projects and, yeah, just we bring him in as as we're expanding our our service is

spk_2:   25:17
culture changes tough, right? Especially in a well entrenched industry. You know, it's it's not an easy thing to do, but to me, it's the only way you can adapt to new technologies and new threats as they come along. It does require a culture change. Uh, you know, I think a lot of the maintenance practices we have Ah, I know it's true for the industrial sector as well. I mean, these are practices that date back 50 years, right? Not not an easy thing to change. Um, but but back to the people side, I mean, do you think that people are aware of the impact of cyber security? You know, did you see issues as faras, you know, cost justification, or, you know, why should I care about cyber security? What's the risk to me? You know, because from what we've seen, obviously the financial impact is can be huge in the wake of a cyberattack. But, you know, being in the world of o. T. I mean, we also, you know, think that health and safety and so forth or power Paramount, Um, how do you think the rest of the industry sees that they really see what's going on here as faras the risk And you know, the potential benefits of investing and been better cyber security.

spk_0:   26:32
Well, I think that in ah, October of 2017 the wanna cry attack hit. And then there was the second attack, and one appeared above the fold of the Washington Post and another appeared. And this is all in it both in the same month above the fold in on The New York Times. And I believe at that point cyber security awareness became, um um, it sort of got we really was given birth to everybody, you know, people outside of security and over the period of time. And we've done nothing but seeds, cybersecurity attacks in increase, right, so it's really I believe it. I believe that it's no longer well, Should we spend money on it? It's Should we spend more money on it? I believe that it's pretty, well, pretty well there. I don't run into people very often that air saying We're still waiting and seeing if it's ah for Riel.

spk_2:   27:37
Yeah, that's good to hear. And this isn't something that requires a huge investment up front. Like you said, I mean a lot of these air kind of changes to processes that are already in place, where it's not a big financial investment, but it's an investment as faras time and, you know, trying to get people to do things a little bit differently than they've done that before. So this isn't necessarily you don't necessarily have to start with a huge capital outlay, right?

spk_0:   27:59
Well, that's an excellent, excellent point. And I tend to avoid talking about money, cause then it starts to sound like a sales thing. Yeah, never cry. Cybersecurity defense. We don't even think the end user should pay for it. We think that they can readily have the supplier of the building, and I ot take care of it themselves. And we contract directly with those suppliers. And we have a fixed scope in a fixed price, and we do it over four or five months with him. So it's only maybe 15 $1600 a month for them to get through it, and and it should be their responsibility. And like I said, it's only going to increase the cost of the delivery of by less than 1%. Because these if you've got these on your agenda, these 30 or 40 controls that you're gonna implement, it doesn't take long to click the box that says Disable Anonymous access,

spk_2:   28:59
right? Yeah, pretty simple stuff. Yeah,

spk_0:   29:02
it's simple stuff. It's just a hygiene. It's not like, ah, big addition to the scope of work, so that has no financial impact on the end user organization and if it's a medical center, I mean, they might have 50 of these, Um, some of the big medical centers. I'll have 50 of these building system, you know, building I ot suppliers. You know, it's the cost is negligible to the medical center. Yeah, it's just coordination thing. And we take on all that effort on, um, on the car forever. FM, um, you know, um, facilities management on C I o r a. C. So, um, you know, that could be, you know, 10 hours a month. That's not a big It's not a big roll, and it's just it could be virtual, and it can be a part time. So in either case, this is not gonna does not require a lot of money.

spk_1:   30:06
Well, Joel, thanks. This is this is this is Jim. I think you answered my upcoming question quite a bit. But there, you know, there are three pillars of digital transformation. And when we think about cyber security, it's mostly about the software in the technology. But those other pillars of digital transformation are well altering your business processes to reflect that new reality. And then also training your people. So I do appreciate the fact that if you can offload those last two off on the vendor of supplier, that makes it, uh makes the FM's job that much easier.

spk_0:   30:43
Yes, I agree. And, you know, and and, um, I think the guy in all of its a mistake. But the tendency is to, um, look at the people and just try and do it with the same team that's been doing the same thing for a while. But we find that if we come in for a few hours a month and we bring a fresh look, it takes just a, you know, a couple of weeks and people start think seeing things differently. And they know that, like, we're not gonna wait. There's nobody afford even that wants to stay. You know, we pretty much like what we're doing, and so we're not a threat to anybody. And so they get to take in the ideas and not feel like, um, you either get on board and then they do good things and it becomes a career enhancer for him, and we communicate, the more you understand cybersecurity in your role, you become more valuable to other companies. So it's just a great career development opportunity for for people if if when it's done in a way that's not threatening.

spk_2:   31:43
Yeah. Preacher, did you have another question Ship?

spk_1:   31:48
Uh, no. No. Well, way to go further further down down that road that as as far as, ah, cybersecurity, career development path. How structured a new approach is there to to that in in today's world.

spk_0:   32:05
Well, I don't think it's very structure at all. I think it's pretty informal. Um, and that's why, um, you know, people look among themselves and they don't quite know howto, you know, proceed. No. Right now, we think the best way is to bring in, you know, a now outside party on a part time basis that may not even be, you know, might not even be present. You know, could you know a few visits a year, but, you know, it's a remote, and, um, it's not like we said. It's just not that it's not difficult stuff. It's just a different way of thinking about what it is we're doing.

spk_1:   32:42
Correct, I say. Imagine they're the business processes need to be modified so that you're not there on staff are on contract permanently as well,

spk_0:   32:51
right? Right. And the change, The way I look at the change, the reason we call it a cybersecurity. Hygiene is if you think about before we understood bacteria and the threat that bacteria had on our health, Um, people wouldn't wash their hands, you know, they wouldn't want, you know, clean things. They didn't take care of me. Look, I mean, they wouldn't take care of their meats and stuff like that properly. Once we understood that bacteria existed, we started doing things a little bit differently, and we were healthier. It's the same thing. It's just a It's a hygiene for installing and maintaining systems. It's not a different act. It's just ah, hygiene that helps makes it, you know, more secure.

spk_1:   33:34
All right, so that's a good anecdote. It makes absolute sense. Yeah,

spk_2:   33:38
Yeah. Oh, and I think the project phase of it is important to, uh I think most of the discussion in the industry right down around operations and we're committed to keep day to day operations safe. But you don't see a lot of focus on how to incorporate cyber security concerns through the life cycle of a project we have a lot of end users that are modernizing building automation systems. Right now, they have these systems in place, that air, you know, 2025 30 years old on Dhe. They're going through a big modernization project. Cyber security needs to be apart of the life cycle of that project as well. So it's good that we're providing some guidance through that engineering project. Phase two.

spk_0:   34:18
Oh, absolutely. If it's done the first time, then it's just you don't have to bring the guys back on gum, and it just has to be a consideration. The beginning. It's not difficult to figure. I mean, I missed a dental boys, the considerations. So I mean anyone who's got any technical experience, Can you read those considerations? Oh, and totally understand it from the beginning. This is not difficult stuff, but it is a cultural transition as much as the technology transition.

spk_2:   34:51
Absolutely well, this has been a great call. Joel, Uh, I want to thank you for joining today. Do we have any final final points you want to bring out before we kind of wrap things up here? I think it's been a great discussion and a lot of good takeaways here. And, you know, pretty good, solid advice, and you don't have to spend a lot of money. You could start simple. Ah, there are many things you can do to improve your cyber hygiene right now and building automation both through the project phase in the operational phase. Um, do you have any sources for references? Resource is, and stuff like that jewel that you want to point out?

spk_0:   35:30
Well, okay. Yeah. I really like the the book The Perfect Weapon by David Langer on the geopolitics of cybersecurity. And it spends a lot of time on probably the most sophisticated cyber attack of that's been perpetrated to date stuxnet. Um and it brings up all the issues that we really talked about here. Um, I think that sensors are overlooked in their vulnerability. And I think Dil Weiss to get a lot of credit for keeping, you know, pounding that drum.

spk_2:   36:06
Yeah, Yeah, we know Joel. Yeah,

spk_0:   36:09
yeah, I mean, and you know what he's going to say. It's just great, because those senses air totally, totally undefended, and the hackers know it, and that's just what they what they go for. And that's why those three building systems are under constant attack, and

spk_2:   36:28
that is particularly true for building systems. I don't think you know not a lot of the end users in the process. Industries like refining in oil and gas have really latched on to this idea yet, but in building systems, it's it's definitely ah, big threat. People are coming in through the sensor level, and so and so many of these sensors. I mean, there's I have yet to see an inherently secure sensor, right?

spk_0:   36:49
You're right. They just they don't have. They don't have those design elements in them. But the stuxnet, I don't know how familiar are with Stuxnet, but it's 100% of industrial skater control.

spk_2:   37:02
Yeah, Bram, it's familiar. Yeah,

spk_0:   37:04
it's beautifully designed and implemented and deployed. It's, you know, it was just amazing, I think No, the It's pretty old now it's about six little

spk_2:   37:17
now. We have stuff that's built on top of that. So we have, like trying on their crisis, which is going after, you know, process safety systems and all this stuff that it really is becoming overall, more sophisticated and more targeted at this, you know, kind of obscure ot level. Uh, right, you know. So So don't think that these guys aren't gonna take the time to reverse engineer, You know, an obscure industrial protocol to get access to Ah, you know, an obscure older control system. I mean, those those things are already happening. It's already a threat. So

spk_0:   37:49
and the point that I always want to make is that they really come through the the overlooked under secured building I ot

spk_2:   37:59
right, right.

spk_0:   38:01
Those three things video surveillance, exit the voice over I p phone and office machines.

spk_2:   38:08
Yeah, Yeah, it's the influx of io ti technology. And we do see, you know, built for purpose. Industrial I ot we call it the you know, the industrial edge stack. You know, industrial under that things. And yeah, I I ot like we said in our separate conversation is such a nebulous term. You know, if he asked five different people, you get five different answers. It's really just a term for a collection of technologies that are now being used Increasingly ATT, the operational layer like cloud and a I and EJ computing and all these types of things, um that aren't always built for purpose. For these applications. Um, and it's, you know, it's definitely a concern that many of the end users and owner operators are selecting products. And a lot of times in there, you know, selection criteria. You know, the topic of cyber security just isn't there s o needs to be. Anyway. Thanks for joining us today, Joel. This has been Joel Rakow 40 in partners. And that is, uh, I assume www 400.40 and partners stuck. Calm? Yes, sir. Is that your web address? Okay. Ah, And with me, here is Jim Frazer. And thanks again for listening to the air. See smart cities and cybersecurity today. Podcast.

spk_1:   39:23
Thanks, Joel. Thanks, Larry. Thank

spk_0:   39:24
you. Enjoyed it.

spk_1:   39:27
Broadcasting from Boston, Massachusetts, The Smart Cities podcast is the only podcast dedicated to all things smart cities. The podcast is the creation of air Sea Advisory group Smart city practice Air Sea advises leading companies, municipalities and governments on technology trends and market dynamics that affect their business and quality of life in their cities. To engage further, please, like in share our podcast or reach out directly on Twitter at Smart City few points or on our website at www dot a r c web dot com backslash industries, backslash, smart dash cities