mnemonic security podcast

Prioritisation & Decision Making in Critical Infrastructure Defence

mnemonic

Joe Slowik, ATT&CK CTI Lead at MITRE, joins the latest episode of the mnemonic security podcast to share his insights on the complexities of securing critical infrastructure. With a background in cyber threat intelligence, incident response, and detection engineering, Joe discusses with Robby the challenge of defining and prioritising what's truly "critical" in a landscape where every sector claims importance.

They explore the difficulty in distributing security investments across industries and the growing need for organisations of all sizes to adopt a mindset of self-defence. Joe also addresses the potential consequences of large-scale cyberattacks, such as those by Volt Typhoon, emphasising the need for coordinated incident response and leadership during crisis scenarios. He concludes with a strong call for resilience and highlights the vital role CEOs play in ensuring organisational preparedness.

Speaker 1:

From our headquarters in Oslo, norway, and on behalf of our host, robbie Perelta. Welcome to the Mnemonic Security Podcast.

Speaker 2:

Back in 2004, pixar and Walt Disney Pictures released the Incredibles, which is a great movie when you're 11 years old and long story short, there's a part of the film where the incredible mom tells her incredible son that everyone is special, to which he insightfully replies which is another way of saying that no one is. That smartass reminds me of someone. Fast forward to 2024. Unfortunately, in a world without superheroes, that same analogy can be used in a critical infrastructure context. You tell me which is most important Electricity, water, maybe roads, railways, airports. What about the armed forces, police, intelligence agencies, emergency services? Just thinking about this makes me hungry. So of course, we need food too, but we probably need money to pay for the food. So maybe we need a bank then too, and they probably need their IT service partner. You get the point If everything is critical, then nothing is. And in the face of crisis, the inevitable cyber doomsday. Who is going to get helped first and by whom? Joe Slowik, welcome back to the podcast.

Speaker 1:

Always a pleasure being here, Robbie.

Speaker 2:

So it's the first time you're called Joseph on the platform here.

Speaker 1:

Oh, really Do. We have a new name change going on or what? Not really. I guess I just decided to be a little more formal this morning. I don't know.

Speaker 2:

That's funny, because I've always wondered why people always called me Rob on the podcast and then I found out last week that my name is Rob on the platform, so that explains it. Okay, okay, so the colors in the trees are changing. Okay okay, so the colors in the trees are changing. It's pouring rain outside, it's getting darker, so that kind of sucks, but that means it's the time of year that I get to see you in Copenhagen for the ICS conference.

Speaker 1:

This is very true. Yeah, and actually not only Copenhagen, but I will be at Brucon and I will be out at the Winterfestfall in January as well.

Speaker 2:

Awesome so.

Speaker 1:

I will be in Oslo in January because that's a lovely time to go to Oslo.

Speaker 2:

Yeah right.

Speaker 1:

It will be like snow, Whoa awesome.

Speaker 2:

I'm going to be seeing you a bunch then. Yeah Cool, and it's the third time that you're at the ICS conference.

Speaker 1:

Fourth time, I think actually Fourth time.

Speaker 2:

Okay, I was going to say third time's a charm, but fourth time has to be a charm, right? So, for those that haven't met you before, who's Joe Slowik and what's he up to these days?

Speaker 1:

So Joe Slowik is currently running the attack port, the CTI portion of the MITRE ATT&CK framework, while also doing some critical infrastructure security research and analysis, which is, I believe, kind of more what we're going to talk about today, but also doing some wide-ranging information security research training. So been doing this in some form for over 15 years now, which is getting kind of scary when you think about it. But, yeah, pleasure to be here, as always.

Speaker 2:

Yeah Well, you're the right man for the job. I mean, if you're invited back four times from the conference, you're doing something right. Yes, so what are you talking about? This year's conference, so this?

Speaker 1:

year. It's not a very technical discussion, although it does have technical implications. But for anyone who's seen the film the Incredibles, you might remember there is a scene in that movie where the villain says, like if everyone is super, then no one is. Scene of that movie where the villain says, like if everyone is super, then no one is. Well, there's a similar analogy to critical infrastructure, that if everything's critical, then is anything really critical and really kind? Trying to address head-on how do we assess, how do we start evaluating what are the most important things to allocate resources for hardening, improving, defense and securing, when there are so many things that we can call critical but we don't have the resources to possibly cover everything?

Speaker 1:

And this, honestly, was a thought that I've had for a while. But it really hit home with content from last year's conference where folks from the Danish security energy sector security organization discussed a intrusion campaign targeting some networking equipment that had some potential overlaps with sandworm activity. That's still indeterminate, but that the activity took place is not, and, in talking with the presenters on that material, identifying that there were some very tiny entities in Denmark that were hit through that. And it's the question of okay, can you layer on security like a thin coating across everything, or should you really only focus on the most important, the most critical items that are key to the country's economy, or security or whatnot? And how does that balance work? And it's a tough conversation because no one wants to have it, because no one wants to be the person that tells some rural electric cooperative or something that, well, it sucks to be you, you don't get support because you're small. And maybe there are ways around that too that need to be explored in greater detail, if that makes sense.

Speaker 2:

So who, like today, I'm assuming, like this conversation, it becomes more and more relevant, but it's also brought on in Europe for like NIST too and stuff like that, right, because there's actually certain organizations are critical to have to be able to do NIST too, I guess. Uh, who decides that? Who decides that and how is that? I'm not sure if you know the answer to that for Denmark and Europe, but who does that in the States?

Speaker 1:

That's a really good question, and the answer is it depends.

Speaker 2:

So if you're talking the energy sector.

Speaker 1:

It's a combination of FERC and NERC Federal Energy Regulatory and similar stepping in and setting boundaries for that and going into the Department of Energy and the federal government. If you're talking water, it's the Environmental Protection Agency. If you're talking pipelines, it's the Transportation Security Agency the same people that screen you at the airport. If you're in the United States which is a frightening thought if you think about it.

Speaker 1:

Not the same people, but anyway. So that's the other thing is that the decision making is scattered, and certainly frameworks like NIST too, to rationalize these items and centralize them more effectively. And certainly, in the European context, you have the European Union that can step in and sort of knock heads together and get everyone pulling in the same direction. But there's lots of both entrenched interests within the various sectors of like. Don't tell us what to do, we know what we're doing already, which is true to a certain extent that you want the people that actually know how these operations function to be the ones deciding how to best secure them, unless they're not doing a very good job of securing them, in which case they need some stronger incentive. Hence this too. But there's also the question of, you know, holding people's feet to the fire, so to speak, of making sure that proper actions and proper security investments are being made.

Speaker 1:

So, yeah, like, the decision-making is kind of all over the place right now and honestly, I think maybe in the states we can learn a bit from what's going out in europe and seeing how, uh, the nice directives play out and, um, because that just went into force. I'm trying to remember now. I know it's been a long time, kind of people adapting to them, uh, and saying like, oh, we're going to get there, uh, I know this is a discussion I've had with friends in Belgium as well as friends in Denmark as well, but it seems like it's been a painful process for many organizations to try to completely get into alignment with the directive as it is currently written.

Speaker 2:

So if I just untangle what you just said. I mean you have, like, critical infrastructure in the States. If it's water, it's that agency. If it's energy, it's that agency. But someone at some point in time said okay, you sectors are important, what about? And then kind of maybe going off on a tangent here, but I had a podcast recently with someone that it's called when Ransomware Hits the Ranch.

Speaker 1:

Right and like the meat producers the largest meat producer in Norway- let's say that they got hit by a ransomware attack and they go down. That's critical for me, like for people, that if you start getting over a dozen again, the question becomes what's really critical at that point? Because, like you said, like, okay, I want a steak, you want a steak. Everyone wants a steak, right, not everyone, but some people want steaks. That might be more of a luxury item, but if you can't get fresh food produced, shipped on the shelves of the market and so forth, that's a problem. The question is, how big of a problem is that compared to, say, electricity going down or not having clean and fresh water available coming out of the taps or other items? So a combination of both which sectors align with the highest degrees of criticality, as well as which entities within those sectors are most important?

Speaker 1:

So, the largest meat producer in Norway it's probably pretty important A cooperative that produces organic, grass-fed beef or something along those lines that's located in some rural area that no one's ever heard of before? Probably not so much, but it's still part of the food sector, though. So does that also mean that they are? You know, we would say, for health reasons, that they're beholden to the same standards and such because we want to make sure that those stakes are good, great A, exactly Prime, and so forth. I mean, there are stipulations in terms of the size of the organization. I believe in the NIST directives, but the idea being is you know, is this a one-size-fits-most sort of endeavor and how does that work in practice? Interesting.

Speaker 2:

So doomsday right Tomorrow, something horrible happens and we need to allocate resources. What's that look like? Is there actually do people know what to do, or is this just who knows?

Speaker 1:

I think people think they have some idea of what to do, but no one really knows how things are going to happen. This is something that we're seeing in the US certainly. So I don't know if all of your listeners would be familiar with. There is a entity that's been linked to People's Republic of China activity called Volt Typhoon. That has been top of mind for breaching critical infrastructure environments for a few years at this point, and it's been a very open question of like well, if any of this ever actually happens and goes live, what do we do about it? Depending on where they are and what sort of effects get delivered? Because it is fairly widespread. There's not a European equivalent that I'm aware of.

Speaker 1:

You could link to maybe some of the Russian-related intrusion sets that have been active in and around the ongoing conflicts in Ukraine and so forth, and we've certainly seen critical infrastructure intrusions.

Speaker 1:

Country you don't like or whatever bad guy, land or something ends up breaching the networks of Norwegian critical infrastructure entities and starts a cascading effect that impacts electricity, water, oil and gas operations big deal in Norway, food and similar items that just you know, hits lots of things simultaneously.

Speaker 1:

How do we start prioritizing what comes out lying first and where restoration starts.

Speaker 1:

I don't think anyone wants to answer those questions, because that's not only difficult, but it's going to leave some people very unhappy when they find out that they're not as critical as maybe they thought they were. Which is the other side of this conversation is that, in coming up with wide definitions of criticality when it comes to infrastructure and services, that I think we've created a false sense of like well, if something bad happens, the government will save me, or the military will save me, or someone will be there in order to back me up, when that might not be the case, and so we need to have more honest discussions about what capacity even exists to step in in these instances, so that asset owners can find out precisely where they stand in terms of. Can I expect external support and assistance in these situations, or am I really going to be on my own? And, knowing that, how can I then properly invest on my own to better counter and better align myself with how things might play out?

Speaker 2:

Yeah, forgot who I was talking to about this, but uh, anyway, there was like an analogy where, okay, so the government, obviously, if somebody comes and steals my wallet, the government, the police are supposed to help me, right, right, uh, the government has a certain set of responsibilities that everybody's a citizen that pays taxes can just enjoy. That they're there, right, uh, keep me safe, but in cyberspace that government's really not there. Uh, they want to, they want to know about what happened, but yeah, I mean yes and no.

Speaker 1:

But also you're even looking at your original example, like if I, if I'm wandering the streets of oslo and I, a pickpocket takes my wallet or whatever, like okay, I can report that to the police, they're not going to take four or five officers or whatever. And it's like, okay, we have the top men assigned to your case and you know, you're ready your wallet. Like no, that's not happening. You can file a police report and maybe you'll get lucky as part of something else, but they have other things to do.

Speaker 1:

That is not a very high priority and knowing that you know it gives us a better expectation of like okay, I should probably like keep my wallet in my front pocket, not my back pocket, or something like that, if I'm going through certain areas and things along those lines, because I can't expect that it'll just be recovered by the authorities if it's taken because it's just not that important for them.

Speaker 1:

And we can extend that into the cyber realm, where it's like, okay, I can't just expect the authorities whether it's in Norway, the United States, the United Kingdom or elsewhere to step in and make things better in all cases because, again, resources are scarce, not everything is as important as other things, and it means that difficult choices have to be made. There's no really getting around it, and just accepting that means that we can at least make better decisions in terms of how we're defending ourselves, and that's one of the things I want to I'm really going to touch on. You know, everyone thinks that that they hear the background for the discussion I'll have at Industrial Security Conference in Copenhagen, it's like, oh, that's such doom and gloom. It's like no, it's not, it's honest, and it at least helps us then understand. Like what do asset owners then need to do on their own, from their own perspective, to better prepare for worst case scenario, instead of just blindly hoping that, you know, someone else will step in and save me?

Speaker 2:

So I totally agree with you. Good point. I mean, up in the north of Norway they probably have police officers that would love to handle a pickpocketing case because they don't have anything to do up there. But to your point, yeah, you're right. These asset owners at least I would assume, like the large oil and gas companies in Norway, right, they have understood that they need to have people to defend their own networks and they have that. What do you think they actually expect, like I would assume, like some of these, at least the large oil and gas operators in Norway?

Speaker 1:

like, do you think they even expect anything from the government at that point, like the security people, or do they think we have been around long enough to understand where things reside but also have the resources available, like if I'm talking to an Equinor or I'm talking to an AcroBP or something like that. You know, not only do they have a pretty good understanding of their domain, they also have money. I've talked to individuals on the security teams from you know several of the major oil and gas organizations in Norway. They know what they're doing and they have things aligned in order to try to defend their networks and make sure that they can keep up and running in the face of a determined adversary.

Speaker 1:

The problem really becomes when you start shifting away from fairly large, well-resourced organizations and get into the electric utility in some very remote area of Northern norway that also might be close to that little snippet of border that connects to a very interesting country. Okay, do they have resources aligned similarly with what these large oil and gas companies do to potentially operate against a well-resourced, state-sponsored adversary? Probably not. So that becomes an area where we can start anticipating, like okay, while these are discussions that I think need to be had that it's not just a question of what is economically or strategically most important, but also who has the ability to actually do this on their own effectively, versus what entities are kind of left helpless in the face of these adversaries that genuinely need external support and maybe, looking at things in that perspective as well, so that large oil and gas company, you guys are on your own.

Speaker 1:

Why? Because you could probably make it happen. If things go to complete shit, then you know there's a war going on. That's a little different, and then in that case it's all hands on deck and we will try to figure out how to organize resources as a entire society at that point to repel things. We'll hopefully never find out what that looks like, but at least for things that we're looking at now, okay, oil and gas companies, take care of your own shit because you can do it. Smaller entities or whatever that have strategic significance, probably not able to do so on their own, therefore meriting that sort of external support and investment because otherwise they just can't do it on their own.

Speaker 2:

Actually, in real life, I'm just thinking if this scenario would go down. You know, you have this huge oil and gas companies. They get hit, they have their own team, but they have a response retainer. So we have some of our good people over there helping them.

Speaker 2:

That's kind of like doubled up with. You know, maybe that's a little too much for that one entity, and you have all these other entities that don't have anything and they're not going to get help because we're kind of commercially binded to help who we, who actually doesn't need help from before, kind of.

Speaker 1:

you know, I can see that Well, I mean you know, you look at the security plans that a large organization would put together. They have an incident response retainer for a reason because it's not economically feasible to have a large sort of standby security presence that hopefully doesn't have to get used very often, if at all. Hence mnemonic or Mandiant. Well, google Cloud or you know CrowdStrike's IR practice and you know all these other sorts of organizations out there. Where things get interesting, though and this is sort of a separate discussion is when you have a large scale intrusion that impacts many entities simultaneously. Mnemonic only has so many people very good people I've met many mnemonic folks or whatever, and they're great, but there's only so many of them, and if multiple customers with retainers get breached simultaneously, that becomes an interesting question commercially as well Again, separate discussion from this, but one that I think is getting more interesting as we start seeing certain entities get more. What's a good word for this?

Speaker 1:

frisky um a little little more um risk averse in uh executing operations whether we're talking a volt typhoon, a sandworm or something else that if you genuinely have multiple critical entity incidents coming up simultaneously, like not Petya but with even greater sort of impact scenarios, what's that bench, that roster, look like and how deep does it extend, so that you're not left with organizations that thought they had an incident response retainer being told like we're sorry, but we have X number of customers and only Y number of responders. We'll get to you when we get to you.

Speaker 2:

I used to say when I was competing with the Monika. I would say like, yeah, but you know, and Monika has all those customers like, what happens if there's a big, big incident, like and they're busy? But now, like I've seen it here and I mean you've worked with a bunch of different mnemonics around the world in an event like this, I'm actually wondering, because I'm not allowed to go in the war room, right, we have like this own section of the building with locked behind doors and whatnot.

Speaker 1:

If it's the same incident, isn't it sort of like you're giving a lot of the same advices, you're asking to check the same things, or how do those incidents actually play out when it's like in, it's actually a really good question because it's also something I think you know, going back to the critical infrastructure discussion, why you know another way of looking at this is in terms of high-level incident coordination and analysis, so that you're not repeating the same work over and over, but instead able to gather up information, aggregate it and start learning from. You know, what happened at entity A is similar to what happened at entity B, so we can reasonably predict what an incident at entityC is going to look like, to more that information necessary to get that sort of wide perspective of what's going on, which gets us into another realm entirely of information analysis and information sharing among essentially private sector organizations, and doing so for public purposes and the public good essentially private sector organizations and doing so for public purposes and the public good, yeah, interesting.

Speaker 2:

Well, I think, at least in the security world. I feel like we're kind of like the nice guys.

Speaker 1:

I think we'd be open to sharing and whatnot.

Speaker 1:

Maybe it's a little different than Norway and the States in that regard.

Speaker 1:

Yeah, you know it's interesting because I'm not trying to speak ill of any entities or whatever operating in the commercial sector in information security. But if you have organizations that have an incident response practice and have, like, a threat intelligence practice that they make money off of, their incentive is to continue generating value for their customers and justifying why they're paying for something. And if they just start giving away information, you know, for these reasons, are they undermining their own value proposition. But in the process of trying to maintain their commercial presence, are they actively harming the ability to tackle national security issues at this point, you know, which could even extend into things like the ransomware epidemic, because it's having significant impacts on the ability to operate critical infrastructure sectors these days, even if that's not the intention necessarily of these entities, but it has significant effects. That not having that information in front of decision makers that are helping to plan out and execute higher level strategy, is that limiting our ability to defend modern societies, because company XYZ wants to make sure that they hit their numbers for Q3.

Speaker 2:

Well, money is the root of all evil, so you definitely have a point there.

Speaker 1:

Yeah, but at the same time, though, I could see a counter argument that it's like, well, government's not doing this effectively, and so we're feeling the commercial entities are filling a gap that otherwise would not be addressed and they can pay the salaries and invest the resources that the public sector has not. So there's a real tension there that I don't think anyone's come up with a really good way of resolving it yet. Not in the States, not in Europe, as far as I can tell.

Speaker 1:

There are some really great government certs and similar, and there are some really great commercial organizations like Endemonic that are out there, and balancing the tension between the missions of the two can be really interesting, and how that plays out when it comes to critical infrastructure, security and defense is going to be a really thorny issue to figure out, uh, should it become necessary to do so there's a movie about greed being good, so uh yeah that's a very we have to figure that out over a beer at the conference yeah, no, exactly, and you know that's one of the arguments that's made, in the States at least, about this is that like, well, you know, let the market figure out the efficiencies and the ways to do this, and again, that's all well and good until it comes to the power and water utility or whatever that's located in some part of Arkansas or whatever that also happens to serve a large military installation that has neither the budget nor resources to get any of these items.

Speaker 1:

That should they be essentially on their own in the face of potentially nasty adversaries, because they just can't afford the market solution. So how do we correct those market inefficiencies?

Speaker 2:

I guess would be another item worth acknowledging and I guess the bigger the country are, the more these problems are actually apparent. I guess Small little Norway will be okay either way, but all right, yeah, by the way, I'll just talk about, you know, doomsday and do you believe in, like these big public, private, or like you know, like tests, like these nationwide tests for incident readiness and stuff? Yes, no one's ever like I've never had anybody on that like talked about it. What do you think about those?

Speaker 1:

I think it's a very good idea. I know there's been work, especially in the electric sector, where you have things like GridX. And why am I? I can't think of the name right now.

Speaker 1:

I'm trying to think of, like the name I can say in public, not the name or whatever that I can't say in public not the name or whatever that I can't say but operations to test things in terms of grid resiliency and how to do things like restore power in the face of persistent and pretty interesting attack scenarios, which is something that has been going on in the US for a few years. I think it's very valuable because it tests assumptions and shows just how certain scenarios can work out if you have a genuinely creative and knowledgeable team acting on these resources to show just what is possible and can really be effective in showing like, oh, we didn't think about that and oh, I didn't realize that we might need to, you know, work around these issues, or identifying things like the need for spares and other items that can result in, you know, real impacts to the resilience of critical infrastructure. Having said that, okay, we do some of that in the States. I'm roughly familiar with this going on in a few areas in Europe not so much in the Nordics, though, although that could be just my ignorance, but we don't do it in all sectors.

Speaker 1:

So, again, what does this look like for the food sector? What does this look like for the food sector? What does this look like for the water sector? How does that actually play out? That trying to piece together a whole of economy way of testing critical infrastructure resiliency, that's very difficult. It's also very would be very expensive, which I think is one limiter in actually doing any of this sort of activities. Just cost in terms of time, resources and money. But the same reason why we do red teething and penetration testing engagements. To quote the philosopher Mike Tyson everyone has a plan until they get punched in the mouth.

Speaker 1:

So, the same idea applies here that yes, you have defensive plans, you have restoration plans.

Speaker 2:

It's all well and good until it's actually tested by someone actively poking and trying to counter what it is that you planned for I feel like a lot of those entities could just do a table type exercise with their leadership internally before doing it with a bunch of other different partners and whatnot, and that's better than nothing, for sure.

Speaker 1:

But things get really interesting when you start thinking about how sector-wide interdependencies work out. That, okay, say, I am a water utility serving a major metropolitan area or a major urban center or something like that, and there's a power issue that lasts for more than three days. At that point, okay, maybe I haven't been impacted directly by cyber in this sense, but am I still able to perform my mission absent my reliance on reliable sources of power? And how much diesel do I have to run generators for this period of time so that I can continue that mission? What does that look like? From there? And looking for other sorts of I don't know indirect ways that organizations could be impacted, even if they're not, say, directly affected by the nasty doomsday cyber effect or whatever, on their own.

Speaker 2:

I guess that's. One good thing about the CrowdStrike incident this year is that people are thinking about resiliency. I know that there's a company in Denmark that has like a I won't call him a chief resilience officer, but it's someone that is in charge of doomsday. You know, they have like radios. It was really fun to talk to them because they have all these crazy plans, right. Yeah, very paranoid guy. A very fun guy to sit next to at the bar. Yeah, I bet, but I don't think very many companies have that, you know.

Speaker 1:

No, yeah, it's fun. There were way back in the day when I was in graduate school, I was taking a class with someone who worked for the US Department of Homeland Security well before CISA existed, and his job was basically what you're describing like you know, mr Doomsday of trying to figure out, like well, what would be like the worst case scenario for creating a mass casualty event in the city of Chicago in the United States. That was his job just planning that out and then figuring out no-transcript.

Speaker 2:

Who should be having that resilience responsibility?

Speaker 1:

Honestly, this goes beyond cyber at this point. Cyber is a component of it and it's an increasingly important component of it. So they need to be in the room, so to speak, and discussing this. But we're talking about fundamental issues for the continued operation and viability of an organization. So if you're talking about private organizations, this is a CEO level concern at this point. So certainly there needs to be a champion for these efforts. But if that doesn't have high level leadership attention, I would say the organization is probably not doing a very good job of trying to figure out exactly how they maintain their viability as an entity moving forward.

Speaker 2:

Considerations we should take regarding those left behind Yep. What do you mean by?

Speaker 1:

that. So, if you're an organization that finds yourself on the wrong side of, are you critical or are you not? What do we do about that?

Speaker 1:

Because it seems not just callous but almost morally indefensible to say like well, sucks to be you, good luck out there in the zombie apocalypse of trying to survive, like that's not how we operate. So how do we start leveraging available resources to support those organizations that unfortunately, will not be priorities in these instances but can also be completely abandoned either? And so looking for things like security hardening and advisory opportunities in advance of a potential incident to build better security posture and a more defensible security posture, or highlighting instances for reliability so that, yeah, if there's an actual incident, we might not be able to actively help you, but we could better prepare you in advance so that you're able to respond more effectively on your own. And thinking of how to make investments in that way that can pay interest over time, even if they don't result in sort of boots on the ground, people on site support in the event of an incident, and trying to stretch available resources in such a fashion to help out these sorts of entities.

Speaker 2:

I was just thinking in my head why doesn't the government give tax breaks for companies investing in security stuff? But I guess they can write off as a business expense, but that's not enough, I guess.

Speaker 1:

Oh, it's really interesting how it's played out in the US, where we have a you know very much a privatized power sector, of sort of natural monopolies that exist and you have controls over you know what power companies can charge their consumers. And you look at things like you know in the Western US, where they've had tons of wildfires for the last several years and such, and part of them and many of them, due to power lines that have fallen sagged, come into contact with vegetation or whatever that then sparked the initial fire and then spreads into a wider conflagration, and so you have organizations that are trying to invest to improve these things, which means, well, that money's got to come from somewhere. Maybe that means that we can't do cyber anymore, or, if we do invest in cyber, that means that the end users have to start paying for more because there is a guaranteed rate of return that these organizations have negotiated in terms of their rate paying entities or whatever. So there's really interesting commercial aspects to this as well that limit or place interesting considerations around how organizations operating in some of these sectors can even prepare for these items, which is why looking to things like government support because we're talking about critical services for everyday people.

Speaker 1:

At this point, you know how do we start negotiating among these conflicting interests so that you know the people who are providing the power can still exist because they have to make money, but they can still provide power, which everyone needs to some degree, because without that, nothing works in modern society anymore. How do we start balancing out those conflicting interests? Sometimes, whether it's cyber or vegetation management or, you know, burying power lines or whatever in certain areas, or implementing technologies to rapidly trip items if it detects high winds or a fault or whatever, so that you don't have an energized line sitting on the ground in a bone dry area of California that then is going to set tens of thousands of acres on fire.

Speaker 2:

Right. So last question for you today, joe. I was at a conference this week and they were talking about it was a CISO and he had a new role. It was called Chief External Security Officer and so he was basically pushing security onto his supply chain, right, okay, he said basically one of his plans was to sort of cause. We were talking about how, how to not leave the SMBs behind. And you know, if you're a big company right, a big bank or big energy company, I have lots of suppliers, thousands of them. If I was to push you're familiar with CMMC, right, pushing requirements If you want to do business with us, you have to have this level of security. And I think it was him that said that by you pushing that, you're kind of raising the level of security in the SMBs because those are your vendors, a lot of them are your vendors. Do you buy that?

Speaker 1:

I think there's something to be said for it. I think there needs to be greater enforcement mechanisms around them and the idea definitely has validity to it that if everyone is actually doing this correctly and as advertised, then, yes, you know, the rising tide lifts all boats, so to speak, because large bank organization, or even like government or military as a spender, you know, buying services requiring these steps of their suppliers means that those that everyone else that deals with those suppliers benefit from the same improved security stance. Where things get interesting, I don't know if you were following in the news, but there was an incident that happened, a legal incident that took place with the research laboratory associated with Georgia Tech University in the United States associated with Georgia Tech University in the United.

Speaker 1:

States, yeah, where you know. It's one thing if you have a, you know CMMC and you have security plans and have you know authorities to operate in similar. It's one thing if you're actually implementing them.

Speaker 1:

It's another thing if you're saying you're implementing them and you're not, so seeing how that plays out and I'm pretty sure they're not the only ones who are guilty of doing this to a certain extent, you know that's where things can go awry is if people sort of game the system or figure out ways to legally comply with these items and not technically comply with them.

Speaker 2:

So doing so in not in the spirit of how it was designed, but trying to meet the minimal criteria in whatever way possible at the minimal cost, yeah, and for those of you that don't know what we're talking about, it was a Georgia Tech, anyway, some university that bid on doing some research or doing something and they didn't have what they said they had. And that's interesting, because today you never get a client like I've always get those questionnaires right. Do you guys do this? What do you do? And it goes to my CISO and we fill it out and do it, but they never really tested. They're not like coming and doing a vent test on us. You know they're doing an audit, I guess, but they're not. So there's, and if they're not doing that to us, vendor says they actually do right, right.

Speaker 1:

So again, it's a great idea but there needs to be something that fills in on the accountability side to make sure that people are actually doing what they say they are.

Speaker 2:

Instead of sending out Excel sheets. Yes, yes, no, I guess it's what the certifications are for, though I guess yeah.

Speaker 1:

Because those can't be gamed either.

Speaker 2:

No right, I hate audits. It's so scary.

Speaker 1:

Scary for a reason.

Speaker 2:

Any closing thoughts before we wrap it up? And I'll see you here in two or three weeks in Belgium.

Speaker 1:

Yes, no, I think we touched on just about everything. I hope it's an interesting conversation that we'll have in Copenhagen. I'm looking forward to it and hopefully we can spark some interesting thoughts and considerations on the part of attendees in a few months.

Speaker 2:

Thank you so much for your time, mr Slug. We'll see you soon. Sounds good, robbie. Well, that's all for today. Folks, thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcast at mnemonicno. Thank you for listening and we

People on this episode