Switch to Pole Position: What OT Security can achieve by changing the game.

I mean given the small audience I think we can keep it interactive as well ask any questions um looks like you have some OT experience anyone actually in OT currently you are okay nice nice um well first of all I'm glad that there are five people that are interested in OT security because this is not unusual in general whever you go Devcon black hat uh for every 90 plus people interested in it or it security because it's a much bigger um piece of the piece of the pie if you will OT is is small right but um it's important in fact I strongly recommend if if you are it Savvy but also are interested in crit

infrastructure in general or protecting the nation in in other ways right OT is one way to do it so so quick about me uh VI pada I work for a company called Missi networks we're in this OT space uh personally I have been an OT guy all my life so if you have any questions in general like the other gentleman was asking you know how to get into OT I'm happy to uh maybe connect the dots for you that uh might not be as obvious and I've been on the Block for quite some time um I've presented at many uh conferences including Defcon in the ICS Village um another big IC conference called S4 in Miami and in

Atlanta so I when I saw the the badge with the uh sword ring I remember my technical school from like late 90s so I've been around the block for a little while even though my soldering days are a little bit further away from me now so why is OT security stuck this is interesting because because in general you know if there's a problem we go fix it right especially if it's an obvious one but in our world it's not so the case so first of all um this is a lot of wor but Enterprise risk is uh you know not just technical right so all of us even though you know you sometimes are not very sure um if

technology risk is all you care about the reality is companies care about other things right they care about Financial Risk legal risk that's why they have other uh responsible people CFO and you know the legal council um so they maintain a risk register and in general the managed risk right those of you that are more focused in it would know that you know you don't always get what you want right that that's pretty obvious um even even more obvious for OT people um but the it folks have known for a long time that risk calculation is more of an art um somewhat of a science but more of an art and there is a lot of statistical data

available for it stuff right to go look at this IBM or ryzen data breach reports and you can say hey this is risk posed by these type of devices these type of applications and you can come up with some kind of mitigations but OT historically has not been accounted for properly what do I mean by that so in the it side some things are very obvious right when you look at the first two where you know you clearly know that you're defending against something like a fishing campaign or someone trying to Ransom you and it's not easily covered by insurance or other ways to you know not do something about it right so that part is very obvious for it people same

thing with um you know having to do something because you know you're trying to utilize technology to protect against malware against fishing against misconfiguration against all kinds of you know Insider threat you name it and it's a pretty uh wellestablished fact you know you kind of have security controls considered and applied as you're making other decisions right investment decisions about buying something or uh changing something in your in your factory but OT if you look at the bottom section is not covered because first of all we've had a big problem including like the gentleman was saying before about uh hey our stuff is isolated our stuff is not connected so we're okay you know we

don't have to do much because we kind of isolate our stuff and we're operating independently of the it stuff the reality is that's not being the case for probably 20 years so in the and here I can give you a little bit of History lessons in the early 80s we had the conversion of the old Hydro hyd hydraulic and pneumatic systems to digital um before that we had electronic stuff but mostly relays uh but in the 80s things started becoming computer-based and um the industry developed some unique protocols that they needed because publicly available stuff was not good enough for their application right so if you think about your cars might be a good example uh think about the

evolution of cars and the technology in the cars right the interface uh the embedded system that's in the car for engine control um similar to that in the critical infrastructure space there was a lot of technology that that was developed and people did not feel comfortable using Unix or other um operating systems in the 80s and 90s So eventually long story short now the base systems the embedded systems of controllers they still use some form of Linux or risk-based architecture but the operator interface workation that all windows that's been the case for 25 plus years so what ended up happening was lots of these systems ended up being connected to other it systems whether knowingly or

unknowingly uh knowingly sometimes because the engineer needs you know drawings and you know other data that's on their computer in the office and they need to also copy stuff from the plan floor right so especially in the manufacturing environment that Gap never really existed there were a lot of think they were just talking to both sides right and how many of you remembered a couple years ago the colonial pipeline incident yeah in colonial and this is a big critical infrastructure organization they had isolation segmentation however if you remember the news at the time they said we shut down the operations to be on the safe side our billing systems got affected we didn't know how to build our customers

for the product we were delivering so there was no point right so the one on safety reasons you know shut down so that you know ransomware cannot be infecting the OT systems and second they couldn't build people anyway so might as well just shut down the operations right so all that means is a lot of reasons why OT systems are connected to the it side of the house and it is typically connected to the cloud so there's a whole different puru model conversation about separating um certain components and certain buckets so you can then you know put the proper controls but long story short if you ever hear that OT is isolated you just have to chuckle

because that's not been the case for a long long time if there's any questions yeah please feel free to ask uh the second is you have Shadow it and you all know that right and the problem in OT is we have a lot of Shadow OT and we don't even know what that is uh often times you do a sidewalk you you walk around and you start point said what's that what's that you have no idea people connected something somewhere uh there's a there's a drive here there's a U controller there there's a uh blinking something else there and you have no idea what they are and they're relevant to the operation or not because someone

somewhere started something temporary and now it's a permanent thing right and then the other big problem and this is something that you all would know and that we have thousands of thousands of systems with so many vulnerabil they've been obsoleted by the manufacturer 10 years ago 15 years ago it's still in place it's doing what it's supposed to do so nobody's touching it but it's vulnerable right but because there are thousands of vulnerabilities how do you even start thinking about patching like if you're an IT guy and you know for a fact on the it side if you find a vulnerable system you either upgrade it you know update the patch or replace it with something that's support

like those are simple things that you do right next year when Windows 10 goes obsolete you know you all know what to do right go buy a new computer or replace that with Linux you know do something so that you're not using your vulnerable system right but if you have thousands of those devices what are you going to do right do you have the money the budget the time the resources to even try to replace it and sometimes that's actually going to happen uh where like let's say Colonial happens and you work for a different pipeline company till yesterday you were banging your head an asking for dollars and you didn't get it but today the management

comes and says I'm going to give you $50 million go fix it well you can't fix it there's nothing that you can instantly do not in two months not in three months that's what actually happened when the TSA directives came out right after the colonial pipeline incident they said do these 50 things and you got time till November to do it people are like ah yeah not just till November we can never do have these things right so that's why they pushed back in the industry and eventually TSA uh changed the directives to you know more of a risk-based approach and you know gave people a more control on what they could do in a in a

phase Manner and the last one is this is really interesting uh in fact if you're playing bingo in any OT security conversation you hear the name tuet so every time people do that if you're a traditional L guy you Gran and you say no you didn't say that again you know it's kind of like you know it's always always UDP it's always DNS that kind of joke right um but if you think about it there has not been a focused OT attack in the in the history of the United States right uh I'm choosing my words very carefully there because we've had some OT specific attacks so we can count them on two hats so right from stocket to Black energy uh

in Ukraine to Triton in Saudi Arabia to most recently what was discovered which was called pipe dream which is a toolkit um every time you hear people talk about OT attacks it's usually been some kind of ransomware on uh public facing interface or some kind of you know like if you watch on Showdown or something a controller happens to be on the on the internet and somebody just messed with it right so it's not really um specific like a lot of OT attacks that we've been uh planning for or thinking about have not materialized so what then happens is people are more and more complacent right like if you haven't seen a dedicated attack most of the

attacks are happening from it you're like yeah I'm going to go protect my it systems why do I care about OT right seems like nobody is chasing them right the reality though is that OT is a lot more vulnerable it's kind of like a lot more uh problematic but because we are that's not the easiest to get to right so most it systems are a lot easier to get to because they're directly connected to the internet and you know once it's vulnerable once you have a foothold you know living off the land or expanding you know lateral movement a lot more easier um but once we start tightening those defenses once we have coverage of more it systems

against attacks what what's the attacker going to do right they're like okay now I'm going to go after one further layer that's where we are in OT so if you wanted to do something about it let's say you did get that $50 million and you want to do something about it it ain't easy to start in OT security right so start up with let's say a basic risk assessment you get to do lots of s sidewalks there's no asset inventory you have no idea what systems there are in the first place what's important what's critical what's required for the operations sometimes it's documented in like a spreadsheet other times you got to make a lot of interviews and ask a

whole bunch of people um and so it takes time right and then let's think about this this is a very uniquely OTE thing so let's take a computer that I'm using for my business purposes and if it's got some problems if it's vulnerable if it's got some Chrome issues or whatever right what's the impact going to be if someone takes over the computer I can't work right but I can shut down the computer go to some some other computer probably log in with the same credentials I'm probably good to go right because if my computer is infected my productivity is not 100% hampered because I can replace it with something else and maybe go do something

here however the impact in OT could be much higher right so if if whatever system is vulnerable is shut down that could mean there's a safety impact on the operation right it could be some equipment that should close or open or vent or do something is now unable to function and that could cause problems right it could be a flare uh meter that's now stuck and so maybe cannot ignite something right so there could be all kinds of issues in safety so often times though the mitigation like in this case of a computer replacing the computer could be let's say $2,000 right in the OT space you can't just replace that but you can mitigate the impact right so let's say

you have the primary ignition control problem because of some kind of hack um if your backup is manual right maybe there's a push button there that actually opens a valve or you know does something to continue the process that could be cheaper right instead of trying to replace the whole system or trying to find an ultimate system so often times in OTV also focus on impact as opposed to just the vulnerability in the the risk equation and then people like there are no people that are capable of both it and OT knowledge right very few that's why I highly recommend anyone with you know it networking knowledge to consider OT because we have far fewer people than

we need in the OT space that understand both know some form of networking and you know what's important to the OT world and then uh threat intelligence this is interesting so uh if you all haven't subscribed to the sisa newsletters you know if you do then you'll see that you know they they put out a lot of content most recently for power plants they said um Vol typhoon you know this is from People's Republic of China they're focusing on National you know infrastructure and they're in our uh National Grid so be aware so that goes out to all the utilities and power companies right um but that changes you know every year every other year you know you might have

a different completely different nation state or AP Focus um so you got to be a lot more Nimble which you can be in OT because you are stuck with what you have right in terms of systems and then the last one uh improving resilience the risk is evolving like I mentioned you know the tabled up exercises or instant response preparation historically has not been done I live in Houston and there's so many oil and gas companies out there every one of them has you know a five star rating in safety and they got you know an insurent response plan for uh hurricanes they have a great plan for earthquakes they have all kinds of planning for um

man-made or you know some kind of natural disasters but very few would have something for cyber right so what if a deliberate attack happened and then lastly board and Leadership you know if people don't know like the average technical person doesn't understand OT how do you expect like the board or the leadership or the managers to understand OT right they don't uh but now they're responsible for it right SEC is coming out with new regulations they're saying it's important to do this so uh they they're asking the question what do we do because they don't know the answers all right so how do we change the narrative so how do we switch this from being at the last if you're a

Formula 1 fan uh if you're a lot you know the number 208th car in the in the racet trck how do you get to the first one right so I broke this into three you know the classic people process technology the first one is people so I would say start with the people right create a team so even as recently as three or four years ago OT security engineer was not a title now it is a title you can actually look on LinkedIn or careers Pages where people are advertising for OT security Engineers right most of it needs a combination of networking some kind of administration uh I mean they would like for you to

have some kind of OT background right some kind of control system awareness or some kind of training and embeded systems but in general OT security is a is a title now right OT security engineer but that's not enough so what I think has historically helped people is to create an OT security team that has a bunch of different functions right so it it security OT security OT itself like the industrial control system oper you know the automation people the operations people sometimes even legal in HR so it's important to create that group because that group can then identify what other aspects can be improved along with security right so there's a tool there's a technology there's an approach that

you're taking what can we do to improve the business outcomes for us as a company right maybe there's pair parts optimization maybe there's some compliance or compatibility with different Technologies or there could be some kind of Licensing cost savings you would not know unless you ask a bunch of different people from different function so that's important I call this donor diplomacy um if you want to learn about OT you know go talk to the OT people right they're out there in the field you know nobody cares for them um it's kind of like you know did you ever uh talk to your HVAC technician you know or or anyone right like you know you have a lot of functional people like

this is a University campus it takes so many hundreds of people to make it functional and if I were a student here I wouldn't know any of those people right like I see them I bump into them but I don't know anything about them right like I wouldn't know what they do so same thing here like if you want to understand how to fix an OT security problem you have to understand how you know the background is operated right like how those people are on a daily basis um and then these other two are probably lot more similar to what it security folks do on a daily basis but get involved in the community you know

lots of learning from each other from different isacs uh different groups different conferences um and then there are OT specific so if you want to learn about OT threats almost all the top vendors in the OT space release their thread intelligence reports my company does uh lots of other companies do right you know for example foret has their own version of it um so I highly recommend taking a look at that after people is the policies part and this shouldn't be a surprise for it folks but most times OT security is not starting with technology right it's starting with policies like what do you need to do as a company what is the critical function

what's the crown jewel of your operations like what are you trying to protect and oftentimes it happens like I work for a company that focuses on network monitoring uh we do presentations PC's customers buy it and then they're like oh yeah who should we give this to for ownership well you should have asked that question on day one you know not after you purchase something right similarly oh in the RFP they ask questions about does it allow for role based Access Control does it allow for active directory integration so we say yes yes yes and then they even demonstrate this and then suddenly everybody has the same role just because it's you know available you know doesn't

mean you just give the same access right it's no different from admin admin right um but that's what happens most time so my recommendation always is you know get the policies identified first as to who has to have control you know who needs to have what kind of Rights and then of course the um the next step of the process right asset Discovery like I mentioned before there is no asset inventory there is no identification of avability so you have to do all those things it takes time there are tools available I work for a company that does that however these are all projects if anyone says you know I got I got you the money you

know do something it'll still take maybe a year or two years to get to where you need to be right so these are all projects not just tasks my recommendation is to have you know quick wins before you dig deep so anytime somebody says hey what do we have to do you don't come up with this grandiose plan of this is what I'm going to do across my 50 factories or 100 locations you start with one right you say hey I'm going to test this here I'm going to make sure this works make sure all all the access and you know roles and identifying who needs to get the alerts and you know what the actual

impact is all that is identified and documented and then proceed to the next and then scale it up uh secure remote access it's interesting how many of you have to think about secure remote access from your computers probably nobody right you just log into a cloud service you're good to go maybe you use a VPN right in it of course you know you got your company configured computer that's got VPN already built in you're good to go but in the OT space uh a simple VPN solution doesn't really work uh we had a lot more requirements about um replaying um certain things and what actually happened some logging requirements so there are purpose built OT tools for

secure REM mode access and then um limited outage time to accomplish tasks this is so so important um someone mentioned power plants um so water Wastewater utilities they have a lot more opportunities for shut down and downtime right so you could shut down a demon section because the rest of the process still continues for a while right or you can shut down the whole plant because you stored water in a big tank for a couple days so in those two days you can fix your process and get it back going right so not all continuous process needs to be considered so critical that she cannot take outages but if you're a power plant in the

summer you're not going down right unless you got documented approvals and you know you don't want to make money you know you you will not shut down your power plant in the summer especially in Texas all right and then uh the last one focus on technology as a business enabler so to switch this to Pole Position we all would think technology makes a big difference and it does but I it last because you know people and policies definitely come first but technology does have its place right machine learning so you all have now heard of AI in the past couple years so much that anytime somebody says AI you know you're thinking generative AI but in the

industrial space we've been using machine learning and AI for a long long time like literally decades because I mean think about a u oil and gas company doing 2D 3D seismic modeling right they got so much data Like Pat bites of data that they need to re through so they've been doing machine learning for modeling and baselining and identifying patterns identifying where to dig and Where to drill um this been around for a long time folks so in at least in this regard OT has been probably leading in in the pack for a long time because a lot of times the pattern recognition is um well established right it's not it's not too random so the traditional

uh machine learning models are always good with you know patent recognition right whereas um in the it realm it's it's not easy right if you want to do patent recognition on emails and that's why we still have spam right how much does Gmail invest in spam protection we still have so much spam because patent recognition is not that easy but in in OT it's you know documented it's repeatable so there's a lot more there and then process variable anomaly detection this is interesting so it's something that our company does and I've seen this done um well by some other uh folks as well uh think about your HVAC system again right so if your HVAC

system um has a set point you know you ask for 70 degrees or 72 degrees and you know it opens and closes you know the direction of flow uh in the refrigerant and then you know pulls the temperature down if somebody were to um ha into that system and make 72 75 right or 76 and similar to what happened at stock net you know show you something but in the back end as for something else right or rapidly change it from 70 to 75 and then break the system somehow because it's operating too much out of the frequency right all that is possible but again anomaly detection in this case both for cyber and for operational reasons can

really help you fine-tune it like if for example if your sensors were out of calibration and your 72 was actually not 72 and by dropping it to 71 you know you know don't expend too much energy these type of calculations at home might be difficult but for in a process become really important and makes a huge difference in dollars and savings so lots of these um anomaly detection models that are meant for cyber really help in process optimization as well because at the end of the day they're saving money and then lastly how many of you have heard this secure by Design One Two Three well that's good we're not getting anywhere closer it's it's a pipe dream at this point um there

is a big push from the US government including sisa um to to get more systems secure by design my challenge to that I'm part of one of those working committees as well my challenge to that is it's one thing to have a secure by Design program and a product it's another to have it secure by def fault two different things right we've had security products in the OT space for a long time uh we've had so many insecure products for a long time that we pushed and eventually got to encryption and protocols we got to um more robust controllers that are updatable long-term supportable we got them all sorted out when do you think that

happened not quite that long ago but in the you know early thousands right so we've had good systems to work with for a long time we just don't use them it's just difficult right we don't have a good certificate management system in OT so well we're not going to use encryption oh it's too difficult uh and then there are actually used cases right I mean think about a situation where you have a problem at 2: am. in the morning you're calling this technician and he's supposed to replace a controller but if it's uh authenticated if it's you know if he needs a new certificate and if he needs to install something saying they don't know right this is not something

that a technician can do at 2: a.m. in the morning you need to get an engineer involved and now you're delaying the production coming back up right so they need something that's Plug and Play Hey no authentication a lot easier right you just plug it in it's downloading from the controller it's good to go so my my challenge to that is we're a long way from secure by Design um I use the example of safety quite a bit safety didn't happen overnight you know right now uh I always like to use the example of U you know car and seat belt how many of you actually wear a seat belt as soon as you get into the

car yeah I would expect everyone and thank you everyone will do that right but you wouldn't probably know this but for years people fought against safety BTS first of all when they were invented they were not available as a default in every car I was an option and nobody picked that option even though it was cheap like five bucks extra nobody paid five bucks extra eventually they were made the default and there was a huge Ruckus in the in the 80s in the US to remove them Thou shalt not tell me what I should do right even though they were documented debts for people not wearing safety belts right people cut them off because they

were not you know interested in wearing a safety belt we've come a long way from there so now pretty much everybody that gets in the car wears a safety belt they're not questioning why because you know it's much more ingrained as a behavior so we're not there with security in the OT space just yet uh we still make so many mistakes that a traditional it person would laugh off uh that's why I think we need more it security people to work with the OT people now it's a two-way street they do a lot of things for a reason right so don't make every assumption that they have no idea what they're doing right I mean think about um a simple example

that I give where your wrong and they're right is uh well you and I were chatting so you left this uh window open when you were walking out and you felt queasy about it you're like normal it person would never leave a computer you know open unattended you'll do you know lock the screen or whatever before or you know log out right but every operator interface in the world has to be open right because if there's a process out there that I need to do something with right I cannot in that instance come here try to log in even if it's easy even if it's biometric what if it fails right what if I don't remember the

password I mean I need to shut down this operation or change something and I do not have time to mess with it right so every single operator interface in the world will have an open view right so where they are right and we're not right so that is pretty much what I have um I don't have a lot of other content um my my goal in this presentation was to kind of give you that feel for there are things we could do in OT security right to you know con converge the knowledge that we have in it security there's a lot of talk that you hear about itot conversion right A lot of it has already

happened a long time ago because we use it systems in OT all day long right especially if it's not at the controller level um and below so in the traditional Purdue model how many of you have heard of the Purdue model actually so pretty much everyone has um the level zero sensors and Level One controllers that is still pretty much the same as it was nearly 30 40 years ago but above that level level three and above it's pretty much all it systems right they're all Windows computers uh Linux servers um so all the historians workstations you know operator interfaces they all work in this Windows world there's routers switches all kinds of network infrastructure that part is very much

similar to what is in it right the only difference is you might not be able to update it when you want you might not be able to access it for what reasons right and you might have to focus on certain segmentation projects so how do you approach security might be different but the actual tools are very similar right from level three and about or even level two and about um so the key is to have a combination of OT security or OT experience with it security and build a team so that that's the only way to be successful so that's pretty much what I have um happy to answer any questions whether yes sir what about potential

like conerns yeah no it's a great question because um well let's start with the it side of the house right uh years ago I don't know if it's still the same but years ago I heard that um the number one um faked thing on the planet was not a Louis Vuitton bag but a Cisco switch um there has been documented evidence of you know supply chain being you know porous for a long long time right um we have the same concerns in OT right so think about a pressure transmitter for example that I buy from a reputer vendor and it's good and it's showing 15 psi now I replace it with something else that I bought it out of

eBay or whatever the reason might be why I got it right let's say I calibrated it it's supposed to show 15 but it shows 13 right now suddenly my whole process is destroyed because it's it's wrong right that's on the hardware side so we have other like firmware you would not believe how many icsu Engineers would simply download whatever they can get from the internet right they would look for something because they want to just fix a problem right they're in the middle of this troubleshooting they are stuck and they Google it and it's worse than stack over right it's you know it's a copy paste on stack Overflow in this case the same thing some zip file

somewhere they'll download it they will download it to the controller right I work on a parallel project Community project called the top 20 secure PLC coding practices we have one of those requirements to say please you know have a backup Baseline for what the firmware should be and then do a you know at the very least do some kind of Integrity check right in a sha whatnot right in general um but the bottom line is we we have the same concerns um we're all working on sbom identification you know evaluation of how you might apply if you get the hardware building material and the software building material but we're a far cry away from being being there we

have so many other fundamental problems it's not like supply chain I mean in fact Stu net was a classic supply chain attack right where you infiltrated a third party country by working with a automation vendor from another country a security group from another country with a technology from this country I mean we've seen this happen 15 years ago and then that uh pipe dream toolkit that I mentioned is also a classic supply chain tool where once you get the tool in your environment there's no taking back because you it's no different from what you would use to actually work on the controller so that toolkit is not malicious by default but it is used for

malicious purposes right so bottom line is we have the same concerns as what it has in terms of uh supply chain both hardware and software but we got so many more Basics to clear before we really worry about that it's kind of like you know if your house is on fire you'll Focus on the fire first right before you think of hey did I um you know get get my documents or you know whatever so there are there's always a tier where you know you focus on what's burning first and then go down to the next level and the next level so my opinion we're far away from woring our that's bom till regulation pushes us to do it so in the

nerp world um the US government is forced the public utilities to focus on S bombs and they're going to do something about about in the next three or four years but every other industry it's going to be a long way so yes sir how do you get a senior leadership client for like consumer package good companies and things like that yeah it's a it's a challenge right I mean clearly if you didn't have to do anything for 10 years and you were safe it's very hard to convince them that security is the only reason why you have to invest something right which is why like in my previous slid I mentioned find a way to make a win-win for them

right if you know that they're interested in you know profit you know show them how they can make 10% more by using a combination of a technology and a resource to get there right or if you know that they're doing some cost cutting and they're replacing x with Y see if that Y is a more secure product right somehow make it a joint win uh you can never make it a security only I I've been in the industry for a long time if you try to sell something just as a security tool it almost always doesn't work in OT because uh in this regard I'll give you a funny example my my CEO has this joke about let's say you got

three kids and you know you had the budget laid out you know your wife is not working anymore and collectively you have a plan for how to raise these three kids right and surprisingly you got a fourth on the way well now what do you do right it's not like your salary is going to increase overnight it's not like you know you can somehow not feed the other three right or or do something lower you gotta find a way to feed the fourth one and get them to college and do all these cool things so that's the problem with OT security that historically we didn't have to do anything so this wasn't an expected baby

and now you got to do something for it right so that's a challenge that we're all trying to somehow address and the only way is to find other ways to make it a win-win for everyone right so that always helps um yeah like so far the the one problem at least in the US has been we're very regulatory driven in terms of investment right we do not spend something just because it's the right thing to do you know if you don't have to do it you don't you know you do what is legal do what is legal but you will not just invest just because of the right thing to do European countries have a different mindset they're a

little bit more socialist in some regards uh they seem to have National interest and um Security in mind they have a lot more regulations coming on the way too um so here to your point I think you're spot on uh when stocks not happen it's because it happened over there it would never happen to us when black energy happened with the same devices that we use in this country well but we're not at War it happens in Ukraine right when Triton happen on the world's most important security system from trionics well it happened in Saudi Arabia not here so none of that really changed any water plant yeah no you're on the same track so col Colonial

pipeline happened here and for the first time we had a change right so there's TSA directives there's more interest more people asking for stuff and then the CC regulations uh leading up to it right Florida water actually did not happen there's a lot of news about contamination but after two years the FBI decided that it was just an operator error there was really no remote attack so it's a whole different reason why you're not seeing a lot of people talk about it anymore because it actually didn't happen a lot more news Cycles unfortunately in this phace you know it's like any fake news right we have so much real possibility that we don't have to propagate something that didn't

happen but yeah to your point whenever something happens and things will happen in the natural course of things take advantage of it and you know use that to educate people you can never force people to be decision- making based on fear right hey this happened over there it should happen here once something happens there you can educate your team to say hey this could potentially happen here might not because you're not exactly using the same control system but the application is the same so I think we're out of time so thank you guys appreciate your [Applause] time for