Defending the grid: From water supply hacks to nation-state attacks

[00:00:01] Chris Sienko: Today on Cyber Work, we welcome back Emily Miller of Mocana to discuss infrastructure security. We'll discuss the water supply hack in Oldsmar, Florida, the state of the nation's cybersecurity infrastructure and brainstorm a TikTok musical that will make infrastructure security the next Hamilton. That's all today on Cyber Work.

Also, let's talk about Cyber Work Applied, a new series from Cyber Work. Tune in as expert infosec instructors and industry practitioners teach you a new cyber security skill and then show you how that skill applies to real-world scenarios. You'll learn how to carry out a variety of cyber attacks, practice using common cyber security tools, engage with walkthroughs that explain how major breaches occurred and more. And believe it or not, it is free. Go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment while keeping your cyber security skills that you already have relevant. That's infosecinstitute.com/learn.

And now, let's begin the show.

[00:01:04] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals and offer tips for breaking in or moving up the ladder in the cyber security industry. Emily Miller is the vice president of critical infrastructure and national security with Mocana Corporation. Emily has over 15 years of experience protecting our nation's critical infrastructure in both physical and cyber security focusing on control systems, industrial IoT and other operational technology. Prior to joining Mocana, Emily was a federal employee with the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, or ICSCERT.

On our previous episode back in 2019 Emily and I talked about IoT security and infrastructure security and how strengthening IoT and the security systems of our electrical water and internet infrastructures isn't just good business, it's about saving lives. In the last two years these issues have become even more noticeable and pronounced. Earlier this year hackers were able to break into the network of a water purification system in a small town in Florida. By changing cleaning and purification levels in the town water supply they could have realistically poisoned the entire town. This isn't a thought experiment anymore or idle postulating. Infrastructure security defense against hackers and cyber crime groups is a literal matter of life and death.

Emily and I will be discussing not only how to address the problems we have now, but how the new generation of cyber security professionals can lead the charge to reverse a 50-plus year trend of neglect against our country's vital infrastructure from power grids to roads.

Emily, welcome back to Cyber Work.

[00:02:38] Emily Miller: Thank you so much, Chris. It's so good to be back.

[00:02:41] CS: Thank you. I’m glad to hear it. So we'll usually like to start, and we did before, we would like to ask sort of a superhero origin story of our guests. So since you were on one of our early shows, I highly encourage uh you all to go back to Emily's episode which is titled Saving Lives with ICS and Critical Security to get Emily's origin story.

So since you're back a second time let's, talk about what you've been up to in the last two years. Where's your work taken you in the present day and how does COVID change what you do on a day-to-day basis?

[00:03:10] EM: Oh gosh! The last two years, everything – Has it been just a year? It feels like 10 years.

[00:03:16] CS: Yeah, right? Yeah, unbelievable.

[00:03:19] EM: Since 2019 we've had some really interesting things happen. I’ll pause before COVID, because COVID everything –

[00:03:23] CS: Of course. That’s a whole chapter. Yeah.

[00:03:25] EM: Right. Exactly. So Mocana has moving and shaking. We had in 2019 some interesting things happen in the federal space. We had a work with the army that we did. They evaluated our product. So we've been using that evaluation to open a few more doors to go knocking, because when you offer something that's really new in the market, most folks go, “Well, that's great and it sounds cool, but does it work? Does it really do all the things you say?” So we had the army take a look at it and they pen tested it and did some interesting things with it. So we've been making inroads.

And of course I got pregnant immediately again and then was pregnant most of for – Well, God! Even, I don’t know, 2019, early 2020. So as I’m working on all of that I had my second baby right before COVID. And I bring this up because we were expecting to be able to take some maternity leave. Well, it just so happened that all the work we did in 2019 sprung some really interesting things that I was working on right before I went on maternity leave, and then of course it was then COVID.

So I ended up being very luckily to be able to distract myself from all of the awfulness that has been around this year both having a new baby and also a whole lot of work to focus on. We won a contract with the Air Force. So a small contract, about one and a half million, but I’ve been mostly focused on execution. So we have a couple other things working on with some strategic accounts that are in my portfolio. Now is the new and shiny minted vice president.

[00:04:55] CS: Nice. Congratulations.

[00:04:56] EM: I know. That was exciting. But that's really been my focus. It's been trying to keep everybody safe and healthy, keep our customers safe and healthy. Do really good work to save lives. I mean, you go back to my last episode, that's all I’m about. But really the intent of it is even so much more right at your doorstep with COVID. I mean, certainly we're not talking about cyber security for COVID necessarily, but that is infrastructure. That's public health infrastructure. That's all what we're talking about, and it's here. And in my earlier days I actually worked with the folks in the Obama Administration who wrote pandemic guidance for the government. So it was rather shocking as someone who had been part of that apparatus to see what happened when it all actually hit and then it's just complete collapse. I think that the colloquial is a cluster bus.

[00:05:49] CS: That's an excellent substitution.

[00:05:52] EM: Yes.

[00:05:52] CS: A cyber work friendly substitution.

[00:05:54] EM: Correct.

[00:05:55] CS: So can you um talk a little bit about – Because you said you had this sort of body of work done by 2019 and then it was all just like house of cards knocked over by 2020. So what was it that you had finished that you thought was going to stand that got completely reshuffled with COVID? What did you have to start over in doing –

[00:06:17] EM: It was really the direction of our strategic accounts. We were really lucky. So the commercial side of the business had to pivot a little bit, but that's less of what I’m involved with. We had to do some riffs of course. That's what happens in COVID. But we're very lucky that we were able actually to expand our commercial business and the things that we had set in motion right before COVID. Because it was covering out of government dollars, it was obligated, and so we just began the work and everybody was able to pivot to at home.

So although it didn't happen in exactly the same way, the federal strategy has been make the name from Mocana. Understand and get some bona fides on the actual product and then move forward beginning on rolling it out with the government. So the contract we have at the Air Force, again, is another proof of concept type of contract.

And so that is happening. We had some things that fell through that ended up going through in a different way via the Air Force contract. So I’ve been very busy and working. And to be very honest, Chris, feel like a little bit survivor's guilt that my spouse and I have both been employed. We've both had to pivot. I’ve been working at home for three years. My husband has not. But then he had to work from home. We had the new baby. We had the older – another toddler. We had two under two at the time my second was born, and working your butts off. And we're very, very lucky, and I cannot tell you in this environment what that's like to feel like your life is relatively normal while experiencing deaths in close people – close people who have passed away. Really, it's a stunning examination in duality and your ability to compartmentalize because you've had to do a lot of that. To be truthful, the expectation that everything is continue on normal and you still have to make money when everything is falling apart, it's been really challenging. Yeah, it’s really hard to quantify and to put into words, but that is the reality of the situation is when you talk about it like it's a normal thing. And some of it was and did feel very normal, but then you pause from you know writing your documentation or whatever you have to do with your clients and you look up and it's, “Oh! Today, 250,000 people are dead.” Oh God! Wow!

[00:08:38] EM: Yeah. I think one of the things we're going to see once we get vaccines and arms and the sort of the numbers go down is there's going to be not just a mass exhalation, but I think there's going to be kind of a mass depression. Like I think a lot of people are holding a lot of things in and are maintaining and holding and – I think of the end of the book How to Survive a Plague about you know the AIDS crisis and how many of those activists even after like things were getting better like just the waves of depression because we're just holding in so much right now.

[00:09:14] EM: Right. I mean, you have to. The only way you can move forward when everything is such a shamble is to shove all of your feelings into some deep, dark emotional basement and –

[00:09:25] CS: Yup, one foot in front of the other.

[00:09:28] EM: Right. I dealt with it by baking a lot. I’ve got the COVID-20 that none of my pants fit, but that's okay because who needs anything other than stretchy pants?

[00:09:36] CS: I’ve watched a lot of horror movies. Yeah.

[00:09:38] EM: Right. Exactly. I’m going to be feral by the time you make me go back to the office.

[00:09:42] CS: Yeah. Oh, yeah. Yeah. I’ve gotten real good with the clippers. I haven't seen a hairstylist in quite a while, but it’s about –

[00:09:48] EM: So I was going to say. I was really surprised that you didn't have hair done during COVID.

[00:09:51] CS: Oh, yeah. I wouldn't say I’m real good. I’d just say I’m real aggressive. Yeah. I got another appointment with myself in the sink this weekend I think here. Yeah. Oh yeah. We're all in it right now. So okay, so I want to start. We've got a lot to talk about today, but I want to start with the story from Florida. So just to give our folks a little background, in early February, a hacker accessed a water treatment facility in Oldsmar, Florida. A plant operator watched as his cursor was commandeered and dashed around the screen opening software functions until it landed on the setting to control the water level of sodium hydroxide or lye. The hacker increased the sodium hydroxide level 100 fold, which would have sickened residents and destroyed pipes with its huge rise in the alkali level.

So I want to start, because there's going to be a lot of postmortems and whatever. I want to sort of start with what the plant did right. Based on real-time events as they happened and the ability to stop the attack from actually reaching the water supply, what safety measures were effective in preventing a worst-case scenario?

[00:10:51] EM: So I want to be really clear here that the operator did his job. So there's some interesting things that when I was really digging into the incident a couple times, and I wanted to make sure before we talked today that I had gotten my facts right. And the operator actually saw this actor twice. So once at 8am, and he thought it was his boss, because it was somebody just kind of poking around not doing anything here.

[00:11:13] CS: Yea. Like a team viewer kind of situation or something –

[00:11:16] EM: Right. Exactly. I mean, it's remote access. That's what you do. Everybody knows how to do that. You call your help desk and they log in, right? So same sort of thing. It just happened to be on the human machine interface to control all the water treatment stuff. But anyway, so then he goes about doing his job. And around 1:30ish he sees somebody come again and they said it was about maybe five minutes. The operator is doing his job. He sees this activity and he goes, “Oh! Oh no!” Stops it, the actor leaves.” And then what shows me that they had something right is they had a process in place for escalation. So they immediately started an escalation process to say something bad has happened. They attempted to do something. So they knew to call the sheriffs. They had a process internally okay or the operator was empowered to make some calls, and I don't know how exactly it escalated, but it did go to the sheriff's office. So that shows me that they had an incident response plan. So that's really, really good.

I’ve done cyber exercises in my previous role in the government where we would test what we call gray area scenarios where you might not be sure necessarily some things going on. So just like we said at the 8am when he saw the cursor moving. Not entirely sure. There can be things that happen that may not necessarily be attributable to a cyber incident. This one was fairly evident like to the point of being comical that the guy is just –

[00:12:40] CS: Oh yeah. Yeah.

[00:12:41] EM: Right. But that you were able to say and you were empowered and the operator knew that the next steps, and that's not for nothing. That is a big deal particularly when – And we're going to talk a little bit I think further about what went wrong and why wasn't it this way? But that is very important. Process and procedure is very important to have yes and being able to have the empowerment – Hold on I’m going to shut my –

[00:13:04] CS: Okay.

[00:13:06] EM: I have my email open. So let me cut that. I’m getting a bunch.

[00:13:09] CS: You got a coupon for a free pizza. Why don't you click that coupon?

[00:13:12] EM: I know all the dings. Hang on, guys. Sorry. I apologize. You can see that I’ve become a lot more casual now that we've got Zoom all the time. Okay. I’ve got way too many things open.

[00:13:23] CS: Living through the webcam here.

[00:13:24] EM: Right. Sorry guys. You're going to have – Cheers to that. You're going to be dealing with all of my email dings. My apologies.

[00:13:29] CS: Okay. No worries. Yeah. So let's pivot to that. What went wrong? How is the hacker able to get this far and what security systems were and weren't in place to prevent such a thing?

[00:13:39] EM: So I kind of chuckle at the idea of get this far from everything I’ve seen, and I’ve seen this in person. I’ve been to water utilities. I’ve been to a variety of other utilities where the focus is necessarily on operations. Making sure that you have clean water, that your waste is treated, that your water is drinkable. That is the most important thing that the water treatment facility can do. And in that you may have, which was the case in Oldsmar, I believe a completely wide open to the universe network that there are no firewalls. There is just direct access. So getting this far, it's not – Think of the Purdue model if your listeners are familiar where you start up here and you go down and there may be a DMZ and then there's some additional controls. And so you really have to be very sophisticated to work your way down. This appears not to have been the case. That this was just something that a relatively unsophisticated actor was able to access. And you can go on Shodan and find internet accessible control systems quite easily. There're lots of them. And that's is, has been and always will be terrifying, but it's just the reality of the way we live.

So to the question of like why weren't the security systems in place? There're a lot of reasons. I mean, again, they're focused on doing their job. And when you're setting up as a small municipal utility, I believe Oldsmar services 15, definitely under 20, 000 folks. So that's not a big utility I would say. A midsize utility I think is around 250 to 300,000 people. So this is a small municipal utility, owned or operated that the town has to make decisions about cost and spending. And when you're going to make decisions, what's the most important thing? And the most important thing is doing your job and making sure that the water is safe. Yeah.

[00:15:35] CS: Yeah. I’m sorry. Go ahead.

[00:15:35] EM: No. No. No. No. No. I am a prolific talker. So please, cut me off.

[00:15:40] CS: Okay. So yeah, I think we sort of already talked a little bit about this, but with the postmortems that are being written about the safety set up in here. And you said there's tons of these on Shodan and stuff. But like how commonplace do you think the lack security system like we saw here is among other water plants or other types of critical infrastructure?

[00:15:56] EM: Oh! So common. So common. Again, it really depends – The facilities and the operators themselves. And, again, I want to point out to Oldsmar. Oldsmar obviously had done some thinking about this because they had an incident response plan in place or it seems that they did. There were protocol and procedures that they had for operator. You are empowered to take this escalating and call the sheriff's office. A lot of folks don't even know what to do or they get stuck at a bureaucrat who says, “Ooh! Don't call. We'll just keep this to ourselves.”

[00:16:25] CS: Or I hope this will just be fine. Yeah.

[00:16:26] EM: Right, exactly. Or we'll just deal with it. So I’ve lost the threat of conversation.

[00:16:33] CS: Okay. Yeah, basically just the scope and the scale of unsafe systems like these.

[00:16:40] EM: It is widespread not just in municipal utilities. I think if you're big funded like oil and natural gas, you probably have a bit more wherewithal to create processes and procedures. But we're talking water, hospital systems, electrical utilities. I mean, these are known issues, because most of these facilities were built 30-plus years ago. And even with the new ones, you have an opportunity to re-architect, but it's all limited based on your money. So you have facilities that are built 30-plus years ago where technology is introduced particularly in utilities where it was analog. There are still analog systems. And then you have to move that to somehow integrated system. So you have an HMI working with SCADA to be able to see what's actually happening, which is really cool and exceptionally helpful to the operators, but all the protection pieces. And then you have to think about the architecture of the network. When you're focused on operations and you're not a control systems – Or excuse me. Not a computer science networking whiz, what do you necessarily focus on? You focus on making sure things work, and that is pervasive. I mean, pick your poison on infrastructure.

And hospital systems, we've talked previously. I’ve talked about hospitals, food and agriculture, same sort of thing. Systems that were never intended or suspected when they were deployed that they were going to be connected as to the Internet, the Internet even being a concept, or that anybody would be interested in using those systems to kill people, which I think still goes over people's heads. Like this guy was probably just somebody poking around, but you don't go in and go for, “Let's change the lye levels.” And once you at least have some sort of nefarious intent to kill people.

[00:18:33] CS: Or just complete breakdown of – Like I know what lye does. There's no way you can go, “I didn't know which – I thought I was just playing around with the flavor of it,” or something like that.

[00:18:40] EM: I didn’t know what that was. Like, “Sodium hydroxide levels in water. Let's just play with that.” That’s not for fun.

[00:18:45] CS: Yeah. Let's see what the hell – No. Not at all. So I guess we're both sitting here kind of waving our hands and going, “Oh my God!” But like has this –

[00:18:54] EM: yeah, which is why I was losing my train of thought because suddenly I was just like, “Hair on fire. The thing that I most care about.” Yeah.

[00:19:00] CS: So has this attack served you think any sort of alarm bell in the state or local governments about their own vulnerability? Have you seen people see this and take steps to keep it from happening where they are? Or did the majority just read it cross their fingers and say, “Well, it didn’t happen to me.”

[00:19:14] EM: I’m so jaded. I really think that folks are aware of the issue and have been aware of the issue and are doing by and large the best that they can. And unless – For example, in Oldsmar, the town – And I believe I read this in the Tampa Bay News. The town of Oldsmar approved an upgrade, so software upgrade I think for the HMI. So I think they must have either upgraded or eliminated team viewer or something, but it was a $65,000 approval. That's really not much in the grand scheme of things, but they only did that after they got attacked.

[00:19:57] CS: Yeah, right. Yeah. Then it became out of the emergency budget, not out of the operating budget.

[00:20:02] EM: Correct. And they only did that – From what I read, I could be mistaken on that obviously. I’m not down in Oldsmar. They only did that for the software on the SCADA system that was impacted that caused the problem. And maybe it was some form and flavor otherwise. But it wasn't a, “Oh! Shoot. You're open to the Internet. We got to help you re-architect this.”

[00:20:25] CS: Right. Yeah.

[00:20:27] EM: So when we talk about wake-up calls, there have been so many incidents that we say, “Oh my God! Guys, this is it.” I mean, we talked I think in 2019, we talked about Triconex a little bit, which was impacting a safety utility system, an oil and natural gas facility in Saudi Arabia, or somewhere in the Middle East if I forgotten where it was. But anyways, that is something that I’ve been screaming from the rooftops that it's going to impact – Safe people are going to go after safety systems. Again, to Oldsmar, and we talk about this, that there would have been down the line. I mean, the lye level was so insane that even if it had made it through in the holding tank, there're chemical sensors. So safety protocols to say, “Woop! Hey! Hang on.” I suspect that was probably a little bit more of an analog system, but what if for example at a chemical plant that deals with chlorine? There are safety systems in place that are Internet connected or can be Internet connected that will tell you whether or not the chlorine is at safe levels or if there's been a chlorine release or anything like that. What if you turn it off? Or what if you make it give an incorrect signal back saying, “Everything's fine,” when it's not?

[00:21:37] CS: Yeah. There're just enough places along the line especially if someone, even a person who's standing there turns their back for a minute or whatever and the light goes off or something.

[00:21:45] EM: No. And there are ways to deal with it in a non-cyber way. You can have manual. But that again all takes fore-thought.

[00:21:53] CS: Yeah. But that's still only like three or four steps that need to go wrong for something really bad to go wrong.

[00:21:58] EM: Exactly. I hope, I certainly hope, and this is why we're talking about cyber workforce, and I can't wait to get to those questions, because this is not just a stop the hackers conversation. This is a – I mean, Oldsmar, for example. The operators I have no doubt having been to utilities and seen how dedicated and professional and just you don't go work at a wastewater treatment facility because you love the smell of urine. I mean, that's not why you go. You go because you have some level of civil engineering dedication that you want to be a part of that. But they're not the ones who are in control necessarily of their operating budgets. They can scream until they are blue in the face, but if the people who are in charge of operating budgets, priorities, policy, and that may not even be people who work for the utility. I’m talking town, city, whoever owns your ultimate controls of how you do your business. If those people don't give a frog's ribbit about really cyber security and understand beyond something, something the interwebs, we're in a lot of trouble.

[00:23:15] CS: Yeah, I agree. Yeah. To that end, I understand money and budget are always a factor and we were talking about emergency budget versus operating budget, but like what are some of the logistical issues of implementing mass security upgrades for infrastructure? So I remember we talked on the last show about a certain piece of critical infrastructure equipment that I think you said might still be working on like an unpatched Windows 95 platform and no way to do an upgrade to it. So like what is the state of patching and upgrading for infrastructure in 2021? And like where do you even start with something like this?

[00:23:47] EM: Yeah. Well, this was Window. They're using Windows 7 at Oldsmar. It’s just what it is. Patching is still – I mean, you can still have patch Tuesday. You can still do we need to do again? It's a little more challenging on control systems because what if you – Even if it's a tested patch, somebody like Schneider or Siemens is producing and saying, “You can implement this.” You still have to make sure it's not going to interrupt your processes.

So that's a problem. But it goes beyond chasing down vulnerabilities. And we are in – And I’ve written about this. I have a lot of thoughts. So I talk more about funding when I wrote a post on LinkedIn. But, really, it's the same song and dance and I’m getting so tired of it. It's not bad advice. It's not wrong advice, but patch and check your vulnerabilities and monitor your systems and do all these things. To get where we need to be is a massive, massive undertaking, which takes political will. It takes gobs and gobs and gobs of money, and it's going to involve all facets of infrastructure.

At the government level you talk about – I think they still do this, the tiering or the level ones. So most important national level impact stuff, and then the pretty much most important, but it's going to be regionally impactful. Do you think that the Oldsmar Water Facility even down to the level four, which is more of the lower level things, would have fallen on anybody's list of things to prioritize? Probably not, but if something had actually been able to make it through into the water system or if something had happened in power – So watch what happened in Texas. That was not cyber related at all, but the impacts are the same. That tiny little utility becomes hugely important, because even if you are not servicing millions of customers or hundreds of thousands of customers, fifteen thousand lives. And I think we've seen it in COVID how overwhelming it becomes that this is you, this is me, this is our children, this is our grandparents. These are real people who are being impacted and not for nothing. We have to do something.

And I think if you start by taking the elephant at the – The big thing. There are big things that need to happen that the government needs to be involved in, but there also have to be small things that happen on the micro level, which again when we're talking about what does a cyber workforce do? This is a huge undertaking and there's no one place to start. So you can start top down and bottom up and somewhere in the middle and all the things. I take the approach of just standing on my roof and screaming into the ether.

[00:26:42] CS: Every action is a positive action.

[00:26:44] EM: Exactly.

[00:26:44] CS: Yeah. Well, let's work backwards from the place of an ideal solution. So like we're never going to get exactly everything we want at the speed we want, but let's reverse engineer from the best case scenario. So fast-forward a year, 210, whatever and boom! Somehow the country's critical infrastructure security is the envy of the world. It's as impenetrable as can possibly be against foreign agents and cybercrime groups. So how did we get to this point? What massive changes happened to get us to where we are now with resources spending, human collaboration?

[00:27:16] EM: Well. So I’m going to start with where I focus right now and then I’ll kind of branch out from there. I’ve talked a lot about you know re-architecting networks. And, again, that's important. That will come into the conversation. But I’m a device gal. I’m all about protection of devices. And the Oldsmar utility wasn't really about that. It was about team viewer and remote access and that sort of thing. But what brought me to Mocana is the idea, and this is again the hypothetical, we probably won't ever get their state. But what brought me to Mocana is building, helping vendors, device vendors, build solutions that are inherently secure. So conforming to IEC 62443 standards, which is a big old standard. I’ve only read parts of it. It's pay to play, but I’m involved in some of the working groups. I really like it. And what it does is help get the devices themselves to a point that the devices themselves irrespective of what's going on in the network can be self-defending, self-protecting and trustworthy.

So we talk about – And this is not just Mocana. This is what Mocana does, but this is not just Mocana. Siemens, Schneider, all of the ABB, all of the big vendors, this is what we should be driving forward. So to get to that big vision that you just described, I 1000% think that we need to make secure by design operational technology. Right now it's insecure by design for a variety of reasons. Again, not because the device vendors don't want to.

But what you need to have is we talked about zero test architectures in networking. Don't trust a user. Assume that everything is compromised. The user has to validate it every single opportunity. What about devices doing the same thing? That device needs to authenticate that it is an un-tampered, trustworthy, that is devised to say it is. It has not been impacted from boot through its entire life cycle. And that is what the IEC 6243 standards do. And then you merge that with the networking solution so that you can have data from that device about its security posture going and being fed into an AI or ML engine. So you do the same sort of monitoring and analytics, but on the device. Not just on the data that may come from the device that may already be compromised once it hits the network.

So that I think is exceptionally important, because theoretically – Now, again, we're going to pretend, right? But if you have – And I joined Mocana specifically for this. I was thinking about water utilities, because I’ve been to water utilities and they have – A lot of them will just have flat, wide open architectures that there is no separation on the network between the control systems and the guy who's going to go check Google on their finance side laptop. None. So what if those devices themselves couldn't do anything that they were not supposed to do? Again, huge pie in the sky. But that idea of obviate the network, make devices inherently secure. And take the model of how we approach security from the bottom up not just the top down.

Now, of course, that's insane, right? So you have to have, I mean, things like making sure we're going to have attackers. So as soon as we try to do something amazing, the attackers are going to do something equally as amazing, but nefarious. Setting up architecting watering holes. So you have a fake environment that you can monitor and see what the activity is and watch what they're doing and report that back to the FBI and to DHS and see who's trying to impact my systems and what are they going after and what are they trying to do? What are their attack paths? And then obviously monitor logging all the things that you need to have happen on your network as well.

But what I like about the device-based approach is that you don't force the network monitoring logging etc. upon the operators who just want to do their job, who are not really concerned about the network security piece. They're concerned about making sure that the water does not get poisoned. That it flows. That they're not dumping raw sewage. That's what they're concerned about.

[00:31:21] CS: Right. Yeah. Go ahead. I’m sorry. No. No. Okay. Okay. I mean, I think it's time where we sort of open up the field here a little bit. Obviously the case of the water plant in Oldsmar is not an outlier and a lot of people have been whistling past this graveyard for decades now. Our country's infrastructure, I don't feel like I’m being that controversial by saying it's mercilessly worn out not just in security, but things like roads, there's bridges collapsing, figures about dam ruptures, 100-year-old lead pipes and water systems, badly maintained highway. So there's a lot of work to be done. But I want to start this large conversation with security. So I think that addressing these issues starts with acknowledging that they're real. And apart from our pie in the sky example above, like talk to me about realistic work to be done to improve not just the security of our infrastructure, but sort of the expansion of the cyber security industry and what would need to happen to address this uptick in work need to provide our nation's infrastructure with enough workers to address everything.

[00:32:22] EM: Yeah, absolutely. So I touched on it a little bit earlier that when we're talking about cyber security and what we need in a cyber security workforce, a lot of folks go right to the traditional, “Ah! We need the computer scientists and we need all of the he traditional skill sets.” Yeah, absolutely we do. You also need to have the operational technology piece if we're talking specifically about infrastructure. But where I think we really don't do a great job is incorporating folks throughout the entire apparatus so that you need cyber security expertise so people like myself. So I’ve learned all on the job training. If you go back and listen to me, I’m an international relations and conflict resolution person who kind of tripped and fell her way into cyber security because I ended up being very curious and really loving it. But that's what we need throughout. So you have to, of course, have the traditional disciplines, and I think that there's a lot of work to be done on merging engineering and traditional how you – And I’m not from that background. So I may be speaking out of turn, but how you train engineers to make sure that they also understand cyber security and vice versa because there's a lot of folks who come in to IT that we haven't talked really word one about operational technology, and it's a really buzzword thing, “Ooh! IT, OT, integration,” it's very different. Availability, integrity and confidentiality instead of confidentiality first. Right. Cool. That is like the most baseline information that you could ever have. How does it actually work? I don't know. You should have me flown down to a PLC, I’d kind of take a pokey stick and stab at it a little bit, but that's about it.

But if you're actually dealing with, “Hey, the people who are going to be in charge of operational technology security are also the ones that we're hiring to run our network security.” Those folks who are doing operational technology really need to understand what the heck is happening, and particularly when you get down to electric where it is, if you're an electrical engineer, God bless. That's amazing. I can guarantee you most of us don't understand that and how that works and how we need to help and protect that.

And then from people like me, we have to understand cyber security. You have to have folks at the policy decision-making levels who are not just in your legislative bodies, because we can start with folks in the house and senate who are becoming a little bit more cyber savvy, but I mean really down at the local level. So the commissioners, county commissioners, anybody who may be taking cyber security who you would need to have understand why this is so important. Who are making the decisions about your budgets? Who are making the decisions about policy who are setting that at the local uh and state levels? That is massively important. And I think we do a disservice when we don't hype up blue team. So all the policy piece, and we focus on the red team because it's super sexy and you get to hack and do all these things.

Chris Roberts, who is a hacker, he's great. A little controversial, but he's on LinkedIn. He posted something that said we have enough people breaking stuff. Stuff is broken enough.

[00:35:34] CS: Yes. Oh, yeah. Everywhere you look.

[00:35:37] EM: We need people to help fix it, and that's blue team. That's people – Even if your job is a defender to help architect systems. All the way to people like me who are policy makers who really get it and can talk tech and then are going to take that knowledge and carry it forward and go, “All right. I’m going to make sure that when I write this policy that I am doing something that works. That I am funding it appropriately. That I’m writing the money. That I’m listening to the people who do this on a day-to-day basis and making sure that they're getting what they need.” When we don't include that in our body of this is the universe of cyber security that you can walk into. We do a huge disservice to anybody in the community who's going to be fascinated by this type of topic and want to come in and do good but maybe they think, “Oh shoot! I’ve got to learn Python.”

[00:36:29] CS: Yeah. Yeah. Or think that – I don't know why this came through my head, but I think about like nuclear plants in the 70s and the sort of notion of like, “Well, these could be like military targets or they could be –” So I think if you have that sort of front of mind for people that this is like real like actionable stuff that I have to learn to defend like. I don't want to say the cliche of making it sexy or whatever, but like that that level of defense like has been exciting to people in the past I think, but especially from like a physical defense system. So I think if you can sort of incorporate the sort of cyber element of that, then you might have more people thinking in those terms.

[00:37:10] EM: Absolutely, and I’m being curious. Another person I follow on LinkedIn, she just moved to Proof Point. She was at Dragos. Her name is Selena Larson. She was a journalist working for CNN. And I remember when she moved to Dragos, because it was a big hire for Dragos because they were working on – They needed people who could actually write compelling incident reports and they brought in Selena. And Selena has become to all, everything that I’ve been able to see from her work, a fabulous incident responder and understanding how to ask questions. And she wrote this great piece that I just read yesterday and was thinking very much about our conversation today about what journalism has to do with cyber incident response. And the biggest thing that – And this really rang true to me because the same thing happened for me. A totally different background, different experience, different work flow in what we're doing, but being curious, asking questions, not following the traditional – And I know this from my educational experience and what I was taught. This is the body of knowledge, and the way that you do these things, this is the process. So this is how you approach it, which is true. But you also need to be able to take ideas from other areas and say, “Well, what about this? Have you thought about that? Gee! That sounds a lot like X, Y, Z over here,” and that's exactly what Selena was talking about.

So what she found – I’m extrapolating here because I watched her looking at her experience. She went from being a journalist just broadly to doing stuff on cyber and then it seems that she found a bit of a passion there and wanted to learn more and do more and follow that, and the same thing for me. I really want to do good. I thought it was going to be doing good through foreign policy because it's all social justice work. And then I fell into infrastructure. I’m a gigantic nerd and like, “Oh! Look at the turd tumbler at the water utility. That's amazing!” You can hold your nose and watch it go. But it is. It’s so cool. And then realizing, “Oh! That's going to happen? Oh, wait. That's going to too? How easy is it for happening? Oh God! I got to do something about this. this is not good,” and following that. And anybody can do that. Anyone can. And coming from any industry, if you go, “Damn! I am really curious about that. I want to know more.” Whether you're coming from a traditional educational path or you've done something else and you have led yourself down to cyber security in some form or fashion. Follow it and do it.

[00:39:39] CS: Yeah, that moves nicely into my next question here too. I think when we think of cyber security professionals getting into industry for all the different reasons, whether it's chasing the bad guy or keeping a company safe or even the prospect of a decent paycheck, I wonder if there's a way to get the word out that cyber security professionals should also consider aiming their job search at state and local government, local utilities, infrastructure, to sort of let them know that they could be potentially keeping their own town or city or municipality safe in a real intangible way.

[00:40:08] EM: Yeah. And I think what I was thinking about that, this is going to be a little silly, but I think we need to start meeting the youth. I’m apparently old now. I’m 40 this year. So that makes me old.

[00:40:19] CS: Is that the case? Uh-oh!

[00:40:21] EM: My brother and sister who are [inaudible 00:40:23].

[00:40:23] CS: My casket is here.

[00:40:23] EM: Don't hesitate to tell me that I am now an old. But when we're talking about –

[00:40:28] CS: Guys, I have TikTok on my phone. What do you want from me? Oh, you don’t? Okay.

[00:40:33] EM: Are you kidding me, Chris? The Chinese, come on.

[00:40:34] CS: All right. All right. All right. You're right. You're right. Secretly deletes it from his phone right now.

[00:40:40] EM: Yeah, go delete that now. But they're so compelling and fun to watch. Okay. Let's go to the point though. Meet how people that we want to join our industry. Meet them where they are. Again, this all wrote comes back to funding because you can't do any of this without funding, but when we talk about funding it can't just be – I mean, it necessarily has to be about infrastructure upgrades, paying people, all the things that have to happen. But if you want to excite and get folks into an area that may not pay as well, that doesn't seem as sexy. You have to meet them where they are. I think there needs to be instead of just traditional job fairs, needs to be something really cool done on social media to get people engaged and say, “This is what this is.”

And even if it was, I don't know, the government was going to do some sort of like statewide campaign on social media. It might be a little cringy, but it would meet people where they are. And I think of – Like we talked about I was way back in the day involved in the pandemic planning. CDC wrote a graphic novel about zombies to prepare people for pandemic, and it's totally relevant today. And it was when The Walking Dead was on and it was – People laugh and I said, “They paid a graphic artist or a graphic artist to build this awesome pamphlet.” That is the same preparatory activities that you take for zombie apocalypse that you do for a pandemic. And something to that effect where you're really talking in the same language that the people you want to come in. I thought Parks and Rec was a great thing to have on because it's about the local municipality and the town and all the things you have to do.

[00:42:21] CS: Yeah. Yeah. Yeah. It breaks it down that way. Yeah.

[00:42:23] EM: Right. And if instead of a state job fair, like who prints out a resume and goes takes it to a job fair, right? Like I don’t think I’ve done that since I was 16. Way in the early aughts or even before that, I guess, the 1990. So you have to take the youth, the youth, how they ingest information. What's going to be cool for them? And think beyond red teaming. So you can talk about like,” I don't know how to make cyber policy cool, but cyber policy is cool,” right? Do I do a fosse dance? Maybe. Somebody call me if you want me to do that. Happy too.

[00:42:59] CS: Whatever it takes.

[00:43:00] EM: Whatever it takes. A black turtleneck, a black pants and a top hat, “Cyber.”

[00:43:03] CS: Right. Yes. So I hate to say this. I think we're about to get the most work from homie thing ever. I just got a notice on my phone that my smoke detector might be doing a quick –

[00:43:12] EM: Oh no! Well, that's okay. You can have the smoke detector going off. I’ll get the email dings. It'll be fabulous.

[00:43:17] CS: All right. All right. It's all symphony in here. So I guess – So let's assume that we actually have cyber security students and aspirants and novice professionals that are interested in steering their skill set towards the goal protecting infrastructure. We've brought them in. We've done Parks and Rec the musical or something like that. And like what are some skills that they should be learning or tasks that they should be accomplishing to show that they have what it takes to do this kind of work?

[00:43:41] EM: Well, it really depends on where you want to go. There are some certs that particularly I’ll say for like the DOD. Having something like Security+, that's not the high-level thing you need to meet. That's very much a gateway thing, but I took that when I was first moving into cyber. Has helped me infinitely not necessarily taking the cert out and saying, “Look, I have Security+, but actually going through that level of education as someone who was decently familiar but didn't really understand PKI and all the basic fundamentals that you need to get your Security+ certification. Something like that is really important particularly when you have quals that are a little bit more formal. The DOD asks for it a lot.

SAMS has some great training. It’s really expensive, but they’re fantastic training. I’ve taken a bunch of classes with them. If you're looking at operational technology, my old office, ICS Cert has free training. So credentializing yourself is number one. Also, depending on what you want to get into, building your own lab. So if you are interested in more how do I do things? So you can say, “I’m doing whatever job I’m doing right now, but at home I spend some of my free time building and architecting and doing these type of things. Again, about the bona fides. So even if you don't necessarily have the traditional quals and skill set. And again, some jobs you have to have the traditional quals and skill set. But if you don't, moving into something it's a little bit more flexible like not nuclear power, then you can bring some of this at home skills learning that you've picked out.

And then I think the next big thing is being curious, something that helped me in learning – I mean, again coming from foreign policy, conflict resolutions, moving as a contractor into a job about at the time it was physical security before I moved into cyber. I knew nothing about nothing. So I just asked a lot of questions. I connected with people and I said, “Hey, that thing you're talking about sounds really interesting. I actually don't know what you're talking about. Can you tell me more about that?” And I’ll give you an example.

A former colleague, he's now deceased, his name is Al Cook. Al worked as a medical device materials manager at a hospital system and he would talk about the importance of on-time delivery and all these things. I had no earthly idea what he was talking about. My job at the time was just a secretariat. I was taking notes. And so one day I called him and I said, “Look. Al, this sounds really interesting. I don't know what you mean.” And he spent two hours of his time talking to me, just educating me about what materials management is. Why it's important to infrastructure? What it means to the hospital system? What happens if all these things start happening?” And I can't even tell you what that meant to me. And because it led me down – First it gave me confidence to ask more people. Most of them were extraordinarily generous with their time. Very few slammed a door in my face. And be curious. And that genuine, authentic curiosity is going to help you. And most people who are dedicated and passionate about their job and their field are going to see that passion in you and they want to share that with you just like I’m doing here today, Chris. We want to share the things that we're passionate about. We want to inspire that same passion in anybody who comes to us and say, “Hey, Emily, that's really interesting. Can you tell me more?” Absolutely, I will talk your ear off.

[00:47:16] CS: Yeah. Yeah. Especially if you've like spent a long time learning a thing. It's always super fun –

[00:47:20] EM: Oh my God! Yeah, absolutely.

[00:47:22] CS: How much time do you have? Yeah.

[00:47:23] EM: Right. For example, if you're in an industry that you're cyber adjacent but you really don't know and you’re – Reach out to people on LinkedIn. Go to anything local that you have. Talk to representatives in your town and just talk to them. Find out what the issues are. And even if you're not talking about cyber security, even if you're not trying to get a job, ask them what their challenges are. Be curious and be bold. And it's a lot to put yourself out there. It really is. But once you start doing it, especially if you're not doing it with like the intent necessarily to get hired, although that certainly is your intent. But if you're doing it to learn right and to establish your footprint and understand what knowledge you need, that's extremely helpful. And then of course as you make connections, make friends and then things will flow from there hopefully.

[00:48:11] CS: Yeah. I love it. So do you have any thoughts on how things like the global pandemic and potential pandemics to come will change the nature of this type of work? Do you have any thoughts on future proofing in the age of COVID?

[00:48:25] EM: Ooh boy! This was the tough one and the questions. We know for a fact that how we work is going to change. So what's interesting in the age of COVID is that this thing that we've been talking about in terms of digital revolution, which has already been here, it is smacking us in the face with a cold dead fish. It is here. It is saying, “You are not ready,” very clearly, but you've got to do it, and that's for all sorts of industries. And you'll see this – So when we talk about traditional ways of securing operational technology, it's a lot of isolate your network. Well, in facilities you have to have operators on site, but there is a need for remote access. So how do you do that safely and securely? And it's not always just an answer of re-architect, right? So back to this idea of foundationally secure devices, and all of those pieces we have to adapt and evolve and recognize that the way we have been doing business and not just in the white collar world but also when we're talking about the operational underpinnings of our society. The way we have just been like, “Well, it's fine. It won't happen.”

Yeah, I mean, Texas. This is not cyber related at all. 2011, they had a huge thing. The URCOT guys were like, “Whoa! Hey! We need X, Y and Z. We needed to raise rates. Raise rates by .02 cents for 24 kilowatt hours.” And the Public Utility Commission said, “No. Because no.” That's the way of doing business because it's probably not going to happen again. No.

I worry, and I don't really want to get into Texas. It's not my area of expertise, but that same sort of attitude of, “Well, security by obscurity, or it's probably not going to happen, or the risk of it happening is – I’m just going to say that I’m not going to spend the money right now because it's probably not going to happen. But when it does, and it will, all hazards, May not be a cyber thing.” It could be something else, but these impacts are the same. And if you don't want the impact to happen, address the things that can cause the impact.

[00:50:48] CS: Yeah. I mean, it's going to take not only just a massive push of new people and new thinking and stuff. It's just going to require an entire sea change of like the way we think about our utilities.

[00:51:00] EM: Right. And you can't wait for the omnibus infrastructure package to make its way out of big F federal government, right? Yes, that needs to happen, absolutely. Like we can still – We can put that on the horizon. We can advocate. We can talk to our representatives about that we can, but that is – Holy heck!

[00:51:25] CS: Yeah. But you can't not do anything until that comes along.

[00:51:28] EM: Right. And so you have to be able to take the things that you can do and even with, – Okay. So I talk a lot about – Let's get the government involved to bring in budgets. Even small things. So if you're a water utility and there ain't nothing coming and you're going to – I mean, there are all sorts of things that we have to be able to say, “Look. Normally, we know we want to do the right thing. Normally there may not be resources. There may not be time, but we need to sit down and actually dedicate the time, right?” And that that is prioritization, and that's tricky to do when you're under resourced if you don't really have capacity. But this is the type of how do we think creatively? And then the policy maker side and the people who are involving on the bureaucracy, how do we help them? We help them. Because, again, if you're a town member living in the area that's going to be impacted by these utilities, I mean, pick your poison of utilities, electric, power, water, the whole thing, electric and power is redundant. But you know what I mean.

[00:52:26] CS: Yeah.

[00:52:27] EM: Yeah, the redundant office of redundancy. These all impact us. This is very real stuff. This is not just you know on the interweb somewhere that's never going to impact me. It's going to impact you yes a lot.

[00:52:40] CS: Right. Yeah, I guess as we wrap up today, we had an hour here and I know we have not yet solved all the world's problems, but it was so much fun to talk about them and to get excited about the future here.

[00:52:52] EM: I love complicating.

[00:52:54] CS: So as we wrap up today, tell us about your work with Mocana, some of the projects you're working on and some of the upcoming things you're excited about.

[00:53:00] EM: So that Air Force contract that I talked about is really interesting. So we contracted with the Air Force the beginning part of last – Really, it's all a blur. Sometime in last year before the summer. We are contracting with them to help work on supply chain vulnerabilities, provenance pedigree from the time the software is created, any kind of software down to the point of presence on a weapons system. And it's really interesting to be working on that. And I’ve been screaming from the rooftops about – And a lot of us have been about supply chain security issues in the digital supply chain not just the hardware supply chain. That's a whole other kettle of fish. And looking at how we can help solve some of those problems. And it was an espionage incident, but solar winds comes like on the heels of that going, “Guys, knock-knock, here's that issue again.” And I was concerned about it back from 2015 with Havocs, which was a very similar supply chain incident where it was compromised, a piece of firmware update that people downloaded and found their operational technology, but it was actually the Russians putting command and control capabilities and espionage capabilities back in 2015. And we're looking on how do we help contribute to solve that problem. We not solve all pieces of the problem, because Mocana is not malware detection, but supply chain providence pedigree and up to the point of presence. And this is a huge deal for weapon systems. And so that's really what I’ve been working on. What I’m really excited by. I’m hoping we can transition that into a fuller – A further follow-on contract. Again, we're in point of – I mean, the word is proof of concept. Thank you. It disappeared on me. You just see the bats start to fly in my brain for a minute. But that is something that I’m extremely passionate about and looking at what tangible impact can we make. And whether you are on site as an operator, whether you're working in network management, whether you're a vendor, whether you're like me and you're trying to sell stuff. Yeah, I’m trying to sell stuff, but I’m really trying to make a difference. That's my big modus operandi is to help all of us be more safe and be more secure and to stop people from dying unnecessarily.

As you reflect on the last year, that mission is so vitally important, and I think we forget about what this is really all about. And, yes, we want to sell stuff and we want to do our jobs and make money and support our lives. But what we are in service of is a mission that matters and a mission that keeps our way of life going. And we've seen what happens when it breaks down. We want to help fix it.

[00:55:50] CS: Graphically. I mean, I feel like all of our listeners right now are waving their hands in the air and they want to join in. So if our listeners want to know more about you, Emily Miller, or Mocana, where can they go online to find out?

[00:56:02] EM: So obviously you can go to mocana.com, but my personal presence on the web is on LinkedIn, Emily S. Miller. I’m a former fed. So I tend to do a lot more lurking than I do posting. But what I do post, it's kind of fun and interesting. And then also my Twitter handle is @indeedemily. Again, a lot more lurking than posting. Just as my former nature would say, “Don't say anything publicly fed.” But now that I’m further away from that, I tend to do a little bit more. So I’d love to connect with you. Come talk to me if you are interested, if you are curious, let's talk. I would love to share and talk more and help where I can.

[00:56:40] EM: Emily, thanks so much for all your great insights today. It was really great to catch up with you.

[00:56:45] CS: Good. I’m so glad. And for all your listeners, I apologize where you get to see my COVID-shattered brain.

[00:56:53] CS: We're all in the same boat here.

[00:56:54] EM: Oh! Hamster wheel running on 12 different cylinders trying to keep all the lights on at the same time sometimes with flicker.

[00:56:59] CS: Oh yeah. Just one bare bulb in the middle of a bar room sometimes and you're like, “There it is again.”

[00:57:05] EM: Exactly.

[00:57:07] CS: Yeah. So thank you again. And thank you as always uh for everyone who listens and watches each week. New episodes of the Cyber Work podcast are available every Monday at 1 pm Central both on video at our YouTube page and on audio wherever find podcasts are downloaded. And also don't forget to check out our hands-on training series, Cyber Work Applied. Tune in as expert Infosec instructors teach you a new cyber security skill and show you how that skill applies to real-world scenario. Go to infosecinstitute.com/learn to stay up to date on all things Cyber Work.

Thank you once again to Emily Miller, and thank you all for watching and listening. We'll speak to you next week.

[00:57:40] EM: Bye guys.