This podcast expands on Brandon's interview with Food Engineering magazine, "Keeping machines and OT networks and IT safe from cyberattacks".
We take a deep dive into cybersecurity. Listen to the full episode to learn:
Thank you to CSIA (Control System Integrators Association) and Food Engineering magazine for giving Brandon the opportunity to share his experiences and expertise!
This podcast expands on Brandon's interview with Food Engineering magazine, "Keeping machines and OT networks and IT safe from cyberattacks".
We take a deep dive into cybersecurity. Listen to the full episode to learn:
Thank you to CSIA (Control System Integrators Association) and Food Engineering magazine for giving Brandon the opportunity to share his experiences and expertise!
Brandon Ellis 0:21
Welcome, Hey Beth.
Beth Elliott 0:23
Hey Brandon, how are you?
Brandon Ellis 0:24
I'm good, I'm good. It's been. Let's see, we're pre-recording. I, we pre-record our podcasts, and we're not ashamed of that. So this is actually going to,
Beth Elliott 0:34
It's gonna come out next week.
Brandon Ellis 0:35
Next week. So we're a week behind, which means it'll be two weeks since I got back from the beach. And that was we were out, we actually went to North Myrtle Beach and the weather was fantastic. We had fall really move in, across the southeastern United States. And definitely, probably closer to winter up north. And Eastern. So. So it was, it's good. And so, we're, we're recording our podcast today and the title being da-da-da-da. What's the title today?
Beth Elliott 1:06
It's Industrial Automation - It Doesn't Have To... Be Unsecure.
Brandon Ellis 1:13
Right. And so this is a this is kind of a continuation. We mentioned in our last podcast, which, which had to do with IoT. We've got a lot of great feedback on that podcast, by the way, thank you very much for all the feedback and for all the downloads, and then the podcasts before our very first one where we were talking about our pre-engineered cells, robot cells and, and servo actuators. Got a lot, a lot of downloads on that as well, and a lot of a lot of good feedback. So sounds like you guys are enjoying it and getting something from our podcast. So we're happy about that.
Beth Elliott 1:52
Yes. Thank you very much for downloading and listening and sharing. We appreciate it. So do you want to kind of go over what we're talking about today, Brandon?
Brandon Ellis 2:01
Yeah, absolutely. So today is? Well, first of all, it stems from our last podcast. We referenced that as far as covering the cybersecurity side of IoT. You can't do IoT without -- you can't really do anything in manufacturing without considering at least to a certain point, cybersecurity. And that's true with email phishing. That stuff's been around forever. We've all been in situations where probably unless you're new to the industry, and new to email, and new to IT departments, IT departments are always saying don't click on the link, if you don't know it's from, don't open it if you don't know who the attachments from, that kind of stuff. So that's the basis of cybersecurity. But now we've expanded into the industrial Internet of Things space. And so this is a, again, a continuation or more of a deep dive into the cybersecurity, from our discussion, last podcast on just general IoT methodologies. But also, this is an expansion based upon and I think we mentioned it last time as well, an interview that I was privileged to be part of, with Food Engineering magazine, Mr. Wayne Labs did a piece on a group of us and decided I was interesting enough to expand out a little bit on my viewpoints and experiences. And so that's what we want to kind of build upon. Right?
Beth Elliott 3:28
That's right. Yeah. And the article that Brandon's referring to is called "Keeping machines and OT networks and IT safe from cyber attacks".
Brandon Ellis 3:38
And I assume we'll have a
Beth Elliott 3:40
We'll have a link to it. Absolutely, absolutely.
Brandon Ellis 3:42
The other thing. Just for you, on your things to do. In the first podcast, we talked about the Two Minutes To Data video.
Beth Elliott 3:52
Yes.
Brandon Ellis 3:53
And I don't know that we ever got
Beth Elliott 3:54
It's posted. However, the name was changed, a couple, last year. And that's why the date on YouTube is 2019. Because I was requested to change it from like connecting PLCs to SQL databases, something like that. So that's what it's called, but the link is there in the show notes.
Brandon Ellis 4:16
Perfect. Yeah,
Beth Elliott 4:18
As well as, all the acronyms.
Brandon Ellis 4:20
Yeah. And got a lot of feedback on that as far as the acronyms from the last one. So ERP, and MES and those kind of things. So IoT, we're gonna have a lot of people who, who know me, well, specifically, point out that I use a lot of acronyms. So I'm going to try not to use as many acronyms today without, at least not without explaining. So it was a fun podcast and the feedback was fun. And the comments were fun. And so it just gives me more things for us, for me to think about as far as presentation, so that said,
Beth Elliott 4:58
Alright, so we're gonna Kind of before we kind of dig into the topic of cybersecurity in the food and beverage industry. Brandon, tell us about an experience you had in a plant that impacted your way of thinking regarding cyber-secure systems.
Brandon Ellis 5:13
Mm hmm. That's a good question. Well, well, luckily, there's none. I have not specifically been directly part of any cybersecurity attack. Now, maybe that's luck. Maybe it's but I think it's having had the privilege to work with a lot of folks. And that were part of those projects, and being open to concerns when it came to cybersecurity. The other thing is, we were using the device I developed which has cybersecurity in mind. And so I think that doesn't protect you from cybersecurity, but it takes away the risk such that if it occurs on one network, it should not propagate to the other. And in those cases, when, when I come from the OT side of things, my background is
Beth Elliott 6:06
OT
Brandon Ellis 6:06
OT sorry, operational technology. That's Thank you. Another acronym. That's the PLC side. That's the plant for side. My background is engineering, controls engineering, specifically. So PLC programming, robot programming, and systems integration and things of that nature. That's where I began motion control systems. We talked about that in the previous podcast. So for me, a cybersecurity occurrence in this isn't probably correct. But this is the truth. I view it more so on how did it affect the OT side of things, versus the IT side of things? Because on the IT side, it informational technology. That's the that's the main business systems. Usually, that's the actual connection up to the enterprise resource planning or ERP. system. We talked about that in our previous podcast, that's everything that keeps the business going. Those types of vectors are entry points are, again, clicking on a link, a phishing link from an email, and those kind of things so that we have zero control over right. So I guess, IT's got their hands full enough on that, with all the malware, the virus-ware and all that kind of stuff. So as far as when I say impacted by a specific cybersecurity issue that I have experienced, what I have experienced is the aftermath.
Beth Elliott 7:34
Okay.
Brandon Ellis 7:36
And usually, I'm there because they're asking me, would your product have fixed this? Or, they've skipped past that and they're like, get in here, we've got to make sure this doesn't happen again. Again, not that the IIoTA or its precursor, the Data Commander, is a cybersecurity device, it's just designed so that the propagation from one network IT to OT, I've already explained it. So I get to say. Or, OT up to IT, that propagation across the networks, if you're separating the networks with our device is more likely not to occur.
Beth Elliott 8:17
Okay.
Brandon Ellis 8:17
So everything that I've dealt with is usually the after-effects. So, so should I go? Let me go into one of those?
Beth Elliott 8:25
Yeah.
Brandon Ellis 8:26
So the best, the best example of why this is a big deal. Because I guess, because this hits home because I would have done the same thing. There was a time in my life before Data Commander, that I would have done the same thing. And that is, as a controls engineer, we just need to move the data. And that's it. We're moving the data. It's working. We can care less. We've checked the box. We've moved on. And, we didn't always give respect or respect to the cybersecurity aspects. And so if there's a PC involved, which is how we used to do it. We're running our software. We're doing all of our stuff. The answer was, we're just not going to connect it. And so in that situation, the PCs that were along the lines were not connected. Well, connected is relative. Connected means not connected to the outside world. But in this specific plant, the production lines have evolved into multiple lines, so multiple PCs on the lines, and they really all kind of need to be on - we were using a network for this one. And then we needed another network and another network - not we - they - they needed another network, another network, another network, and so they created a specific network that was its own isolated network, not connected to the outside world.
Beth Elliott 9:49
Okay.
Brandon Ellis 9:51
That was for their production network. And then that production network needed to span to another plant and other plants and so they began to do IT tricks to make that happen. But still, that network was totally closed, other than, you know, onto itself.
Beth Elliott 10:08
Okay.
Brandon Ellis 10:09
And what occurred was some, I don't know exactly. I think it was maybe a thumb drive or an infected PC or something like that was introduced to that network. It might have been through a nonemployee. It might have been through a contractor or something like that. And it was probably totally, totally innocent. I'm not talking about somebody trying to bust the door down and industrial espionage and cloak and dagger stuff. I'm talking about somebody that just had to take a PC that was connected, that was unknowingly infected. And connected in on this other network. Well, here's the here's the thing. Here's the travesty. And man this this hits home, I would think this myself at a point years ago. It's not on the internet, so nobody can get to it unless they come into this building.
Beth Elliott 11:00
Yeah.
Brandon Ellis 11:00
True. All those all. That's true. That was true in this situation. But in this case, they took a step further, and said, the reason my network is so slow is because of this pesky, pesky firewalls are keeping me from connecting. So I'm going to disable all the firewalls the virus packages that came on the computer, we're going to uninstall those because they take processing time, any malware and stuff like that we're not even going to install it. Because we don't need to.
Beth Elliott 11:28
Because it's separate.
Brandon Ellis 11:29
Because it's separate.
Beth Elliott 11:30
It's not connected to the outside world.
Brandon Ellis 11:32
That's right.
Beth Elliott 11:32
Okay.
Brandon Ellis 11:33
And, and what occurred. And again, I wasn't there for this. I was just hearing about the aftermath was when that virus. It was a virus. When that virus got into that network, there was nothing to stop it. And it's like a human body with no immune system. It was running, and it jumped from plant to plant. I mean, literally, it was panic mode when they figured out what was going on. And it was just nailing all these PCs and infecting them and replicating and infecting and replicating it was just
Beth Elliott 12:05
They didn't have the firewalls or the malware or none of that was in there.
Brandon Ellis 12:09
Nothing. Absolutely nothing, no immune, no immune system whatsoever. And so it literally was spreading like wildfire. So that's the wrong way to do it. But honestly, we years ago, early in my career, that's what we did.
Beth Elliott 12:27
Yeah.
Brandon Ellis 12:27
It wasn't. You know, of course, we're not in an IoT age. We're not in this age of connectivity and remote monitoring and all the things of that nature, then we weren't like we are today. And so it hits home. And that's certainly something that could happen. But again, those were PCs that were involved.
Beth Elliott 12:45
Yeah.
Brandon Ellis 12:46
Not PLCs.
Beth Elliott 12:47
I gotcha. Yeah.
Brandon Ellis 12:48
So.
Beth Elliott 12:49
So how have cyber attacks evolved over the years?
Brandon Ellis 12:52
Well, now.
Beth Elliott 12:54
It's sophisticated, aren't they.
Brandon Ellis 12:56
Well, now the hackers, and it's actually not now, we talk about it. I talk about it as if it's now. You've heard me bring up Stuxnet, a lot of people in the controls industry know about Stuxnet. But that was 10 years ago.
Beth Elliott 12:58
Wow.
Brandon Ellis 13:04
It was 10 years ago. Stuxnet was the first PLC specific virus. Now it had to run in a PC environment. It was targeting Siemens, in this case, Siemens PLCs, on their S7 series, and, and then once it found it, it jumped PC to PC looking looking looking. And once it found it, it took advantage of some of the libraries that were there, I think that's the way it worked. But it had online access to the PLC, that means we can make programming changes without interrupting the process. So on the fly changes. It began to make these changes. And ultimately, I think it was, I think it was some centrifuges that were involved, but ultimately overspread them. I don't know if it happened, like, you know, cooking a frog, you know, they
Beth Elliott 13:59
Slowly
Brandon Ellis 13:59
Slowly or, or they happen all at once. But, but it certainly changed this, these these registers. Now, that kind of attack, to me seems a bit more calculated. There's tons. I mean, listen, 10 years ago, so there's tons of conspiracy theories about that. That actually happened to I think an Iranian plant. They're making nuclear weapons. And so there's all kinds of fodder that you can see on the internet and all 2020 is a conspiracy theory-laden year, just go ahead and add that one to your pile if you're short. But, but it does seem like it would need to be a very specific attack, because you would need to know and a lot of controls engineers out there would agree with this, you would need to know what you've got addresses. But if there's nothing at that address, you're wasting time. So you need to know what addresses you're getting to and things of that nature, especially when you're talking about a specific address that controls speed or something along those lines. So, I've always looked at that as being a specific targeted approach. But as far as how they've evolved, the PLC slash OT side is being discovered by a lot of these would-be hackers. And that is a, I believe is a fact because I'm seeing more about that than ever before.
Beth Elliott 15:23
Okay, okay, that was gonna lead me to my one of my other questions here. You have the traditional thinking was that the focus was on the IT Enterprise side but recent news report shows that the OT side is vulnerable. Do you want to expand on that a little bit?
Brandon Ellis 15:41
Well, yeah, no, no question that it's that it's more vulnerable. In fact, I was reading, reading a blog. I don't know why it popped up. I do know. I get Twitter feeds from, from some resources for some crazy stuff. Matter of fact, I got a PC here. This has nothing, hopefully, nothing to do. But I'll do a shout out to these folks. I assume that's cool for me to do.
Beth Elliott 16:07
Absolutely.
Brandon Ellis 16:08
I follow a group called Threat Post @threatpost. And they send out these tweets that scare the crap out of me all the time. But this one just came out last week. It's called a variant of malware called interplanetary storm. Now, interplanetary storm is a malware. I'm not sure what it does. If you know, good for you, shoot us a comment and let us know. But I'll look into this. But it says that it's building and this is the tweet. So you know, a headline can be misleading. But these guys are pretty good. A new variant of the inner interplanetary storm malware is building a botnet. Building a botnet with a current estimated 13,500 infected Android and Mac machines.
Beth Elliott 16:59
Wow.
Brandon Ellis 17:01
So I looked into that a little bit, but I haven't as much as I want to, but I kind of don't want to because that sounds that's like all holy crap kind of thing. Because if they're doing what I think they're doing, a botnet is now taking more than just one resource and infecting it, it's infecting all of these resources, and then they can work together.
Beth Elliott 17:26
Wow, wow.
Brandon Ellis 17:29
I don't know if that's... Threat post if you're listening, let me know if I'm, if I'm interpreting that correctly, and I need to do more than just read the headline. But nevertheless, these types of tweets, I get, I monitor and see because I'm interested in them. But I was, and maybe it was when I was kind of looking into this thing. I ended up on another website. I'm sorry, I can't remember the website. But it was a hackers website, specifically, at least this section was this blog was specifically targeted to OT devices. And, and so PLCs are not safe targets anymore. That most of us, most of us, I'm older. most of us controls guys know how to program PLCs, robots, but we wouldn't know how to take advantage of the PC side of things and that type of a threat. I don't. I'm not that's not my expertise. But in talking with some of our own developers and in talking to them about this article and whatnot, you know, actually held back.
Beth Elliott 18:38
You did. Those couple of our developers said, Hey, now this might be giving away a little too much information.
Brandon Ellis 18:46
Exactly. And so and I was concerned about that too because I would, I would, I would guarantee that there is a vulnerability, that's not really a vulnerability. It's just a fact of how we set things up traditionally, that with very little effort, someone with that knowledge could shut down an entire plant in a matter of seconds.
Beth Elliott 19:09
Wow.
Brandon Ellis 19:10
If they get on to the OT network and have access to all the PLCs.
Beth Elliott 19:14
Oh, my goodness. Has automation technology opened the door to or has that door has it always been open?
Brandon Ellis 19:22
Well, yes. And Yes. But not as much. As far as keeping the door - has the door been opened? Hmm, the door has been open, but not as much.
Beth Elliott 19:34
Okay.
Brandon Ellis 19:35
So, I think the reason is because connectivity wasn't as big a deal.
Beth Elliott 19:39
Okay, okay.
Brandon Ellis 19:41
It was actually do you? This is rhetorical because I'm going to tell you. Do you, our listeners out there, know when IoT really got its traction. And now this is Brandon's version. I believe that because before 2009-2010, the downturn, we didn't have a term of IoT. We referred to MES. We referred to manufacturing execution systems. We referred to SCADA systems and things of that nature. But we didn't have this IoT. IoT, of course, began as wearables and smartphones and smartwatches, and all that kind of stuff. But industrial IoT was not a thing. All the stuff that we were doing at that point as far as connectivity, and in really capturing data was heavily part of the quality assurance or the quality department.
Beth Elliott 19:48
Okay.
Brandon Ellis 19:50
And quality departments using that just to check their processes and check their parts and those kind of things. Which they still do. But to put this, in my perspective, as far as budgets go, and spending, the quality department would get so much money budgeted just like any other department, and they're not, they're not going to have these huge budgets to go out and implement what we now call IoT, just to get their, check the product, check the process, confirming type data.
Beth Elliott 21:00
They had to have more reason to do that.
Brandon Ellis 21:02
That's right. But in 2009, as anybody who was working in 2009 remembers, there was a downturn, specific, huge downturn that affected probably everybody. People were losing their jobs like crazy. The housing market was in shambles. Everything was just all to pieces. And now not that 2020 has been much different. But this was directly affecting manufacturing. And, and quite honestly, what I feel like is that at that point, two things had to happen from the business or the plant management standpoint, just to survive. Was people were losing their jobs or getting laid off because they didn't have they couldn't pay them. They didn't have the production requirements and stuff. So they needed to figure out how to produce more with less people.
Beth Elliott 21:53
Okay.
Brandon Ellis 21:54
They needed to get efficient is what they needed to do. And so suddenly, they're like, Wait a second, how does our processes work? And they go, who's got the data? And they go to the quality department. The Quality Department says, Well, this is what we've gotten. They're like, well, that's good. But that really has to do with how, you know, repeatable our process is or something like that. But how good is our process, because they were looking at usually specific machines or specific processes, and not the entire plant process. And so suddenly management's involved. And they decide where the money spent, and they just just inserted injected a ton of money. And that, of course, is when I started getting more into IoT, and kind of thrust into IoT at that point as far as doing programming, and things of that nature - making these dissimilar systems talk because what came from that in 2009. And, and so that's where I think it was born because it had money. It had funding. And it has exploded into a huge, huge industry. Probably extremely saturated industry. But that said, prior to 2009, were the capabilities here? Well, sure. PLCs are PLCs. And they've been doing this, I said, you know, last podcast, we're gonna do this. Yeah, they've been around since the late 70s. And, and PLCs have a platform for capturing data. They can do that. And we've been doing that specifically probably for more than two decades. But, the push to utilize the data, which is the digitalization that we talked about in the last podcast, that push has really happened since the 2009-2010 era. So really, over the last 10 years, it has grown, I think, probably around 2012 to 2016 was a real big push. And then 2016 on kind of changed a little bit because at least in the United States, because manufacturing was really good. There was a lot of unemployment rates were low until 2020, and the pandemic and all that kind of stuff. And so I think you get to a point where it's kind of like, well, life is good. We that. Yeah, that's right. It's easier to hire someone and keep this process kind of the same than worry about the efficiencies and that kind of stuff. So I think that but the connectivity was already there. So a lot of the potential entryways into the system are there, the risk.
Beth Elliott 24:22
Okay.
Brandon Ellis 24:23
So I think that it's always been there, but I think it's now been funded so much more than it's there even more so.
Beth Elliott 24:30
Okay. Okay. Well, in your interview with Wayne Labs, he's the Senior Technical Editor for Food Engineering magazine, you said that food and beverage is as critical if not more than pharmaceutical when it comes to the potential harm that could result from a malware ransomware infection. Can you expand on that a little bit?
Brandon Ellis 24:53
Well, I did make that statement. And I guess the reason that I, of course, there's two sides to that coin as far as risk potential harm, the malware ransomware infection, which is what Wayne was focused on, because we're seeing a lot of ransomware suddenly, it's big business.
Beth Elliott 25:11
It is.
Brandon Ellis 25:12
But also the malware and what can it do if it's not a ransomware-type thing.
Beth Elliott 25:17
Okay,
Brandon Ellis 25:18
Is kind of how I look at that. Basically, do I feel like it's more critical than pharmaceutical? I don't want to take away from the criticality of pharmaceutical.
Beth Elliott 25:28
Oh, yeah.
Brandon Ellis 25:29
We all when we put a, you know, an aspirin in our mouth or in our child's mouth, we want to, we want to believe that it's, the ingredients are there and they're within safe limits and things of that nature. And that's why we don't want that to be screwed with. We want those quality aspects and those repeatabilities and everything. But did you eat or drink anything today?
Beth Elliott 25:50
I did. I had some pasta for lunch. It was delicious.
Brandon Ellis 25:56
I had my peanut butter and jelly sandwich.
Beth Elliott 25:58
Good for you.
Brandon Ellis 26:00
But as far as medication, you may not have taken as many, no medication. So some of us luckily, don't have to take a lot of medication. But every day, we eat and we drink. And since we're not all running out to the garden, and pulling our stuff out farm to table and drinking from the spring and stuff like that. We're going and buying food, purchasing food, we're keeping the food and beverage industry alive and supporting them very well. United States it's probably too well, but me specifically. But that's why I think that it needs to be respected because and again, I said the two sides of the coin. From a ransomware standpoint, of course, if you launched a ransomware.
Beth Elliott 26:47
The people would know immediately because they're going to ask for the money, right?
Brandon Ellis 26:50
That's the way well, not that I'm a ransomware guy.
Beth Elliott 26:56
That's what I would pick.
Brandon Ellis 26:57
But I'm not that I'm a ransomware person, but that's my understanding is that ransomware happens pretty immediately. It captures something. Now, usually it captures what it captures is like a data file or connection to a database server or something I guess you know something on a PC or a server.
Beth Elliott 27:19
That's worth something. It's gotta be worth some money.
Brandon Ellis 27:22
Yeah, you're hoping, I guess if you're the person that it's worth something, and you lock it down. Usually, it locks down at a single PC that I've seen on a single PC or something along those lines just kills the PC. The scariness and this is where our developers told me lay off. The scariness is what if instead, you can start ransoming things that are not on the PC, but on the PLC, the OT side. And, that's where I get concerned about the ransomware because I feel like that it is possible to utilize a ransomware that maybe PC borne. But that can ransom things. And I'm saying things in Internet of Things, Industrial Internet of Things, a thing can be a PLC or robot controller any of these controllers, industrial controller, and then ask for ransom, so that could shut down a line. It could shut down a whole section lines. It could shut down an entire plant, multiple plants potentially. It's according to what's out there and how it enacts.
Beth Elliott 28:25
Okay.
Brandon Ellis 28:26
And that, of course, could grossly affect the food beverage industry if it could cause food prices to jump and all kinds of stuff if plants are shutting down. But the malware side of thing scares me even more. The malware but because of Stuxnet, because Stuxnet was not ransomware.
Beth Elliott 28:41
It was sneaky, wasn't it?
Brandon Ellis 28:43
Yeah, it was changing things. And so if the malware is able to detect things that are changing, back 10 years ago, we did not in PLC programming, we used addresses. And so we knew usually, you could infer to a point what the address may be as far as a valid address. But you had no idea what it was connected to or doing in the programming unless I don't know how you would make a computer program sniff because even as a programmer you have to upload it look at it, scratch your head a little bit and figure out what the guy who wrote the program was doing. But we are more tag-based today and by tags meaning that we don't have just a memory area that's some type of either hex address or binary address or some kind of symbology per the manufacturer of the PLC. It's actually a name and so variable names could be scanned, used to see
Beth Elliott 29:44
Is a variable a tag?
Brandon Ellis 29:47
A tag is a variable.
Beth Elliott 29:48
okay.
Brandon Ellis 29:48
Yeah, so an address in a PLC is where you either can write a number or read a number of things that that nature, number, string, all these things are just variable numbers.
Beth Elliott 30:01
Okay.
Brandon Ellis 30:02
And so a tag is probably I would tribute, we would attribute that to Rockwell Automation. I think they may have invented the term tag, maybe not, I don't know who invented it. But it's, it's basically saying instead of a specific piece of memory that is specific to this manufacturer, they allow you to name it as a variable name, which means this variable changes - you can read and write to it. But a tag name. So I don't know if that would make it easier. But if you started scanning tag names, because tag names are usually abbreviation, so still, there's a little bit of weirdness there. But if you could, someone could figure out how to go in and actually change data - find a data table - find a recipe. And some systems actually have recipe tools that are known to be recipe tools. So everything in them is considered a recipe. And if a malware just came in and started making modifications to that, it could be disastrous, especially if it wasn't picked up upon.
Beth Elliott 31:06
Yeah.
Brandon Ellis 31:08
Suddenly now, just like the aspirin, everything could be off and you ingest this and that bad stuff happens. Well, food and things of that nature. It could happen. I don't know. Maybe it's me being overly concerned. But with some of the crazy stuff that I've seen, and maybe I need to stop reading some of these tweets, but when I'm seeing a botnet with 13,500 infected machines, that spans Android and Macs, and I think about all the.. Anything Android is every cell phone that Samsung makes, and every Google based stuff, your and Mac, of course, is phones, watches and computers and everything, androids computers as well. So you know that that's they're taking notice, I guess, is what I'm saying. There's a - it presents a huge number of vectors.
Beth Elliott 32:00
Okay. Okay. Speaking of vectors, Brandon, you mentioned points of entry are vectors, by which malware and ransomware can enter a system, like with a thumb drive or putting a, plugging an infected computer into the line. What are some other points of entry or vectors that can infect a system?
Brandon Ellis 32:23
Well, I think I think USB.
Beth Elliott 32:25
Okay.
Brandon Ellis 32:26
What you said, is a big one, especially today.
Beth Elliott 32:30
Yeah. working from home.
Brandon Ellis 32:32
Yeah, we're kind of I can't decide if we're coming off this COVID thing yet.
Beth Elliott 32:36
I don't know.
Brandon Ellis 32:39
There's been some states that have their governors have announced that they've lessened the mask requirements and stuff like that on businesses and stuff. But I think, as a population, hopefully, a very intelligent population. I take a lot of pride in our population. And in the populations of countries around the world. We have more data, and we understand how this thing works. But still, I think we have specifically we have a lot of customers that are still working some from home and coming on-site when needed to be and they're working on systems, their stuff at home, and then bringing that in. So how do they bring it in? Do they bring their laptop from home move it from home to work? Does that fall outside of the IT cybersecurity requirements? Do they bring thumb drives from home to work? You know, is IT looking into that? And I'm sure that a lot of them are, but I wonder if all of them are. So I'm not sure exactly how many of our customers are doing. But the most common, and probably the most nonsecure, but the most common would be a thumb drive. So you work at home, you do all the stuff there on your home computer, which is how heavily connected it's not that it's not secure. You could have the most secure system in the world sitting at your house, but there are some that probably don't. They're not IT people so they may not be worried about that. Remember, there was a time that even I would say uninstalled the virus stuff, turn off the firewall, because it's not connected, you know, so if it's just not. IT people are there. And they are what they are because of their makeup and for those of us who aren't people there probably is a reason why we don't have that makeup. And so I think the thumb drive is probably the most common or bringing a PC that's infected unknowingly infected into a plant. Emailing yourself. So if you email a file to work from your PC at home, it falls under don't open this unless we know about it. But if there is a if there's malware in there, and again, coming in that way, if you have a savvy IT department, and it's a known malware -- If it's a known malware member virus, the virus engines, the malware, they only detect what's known.
Beth Elliott 35:08
Oh, okay.
Brandon Ellis 35:10
And when they find out about it, which means someone's the victim, then they figure out, oh, this is how we detect for this. And that's when
Beth Elliott 35:18
You get your updates and patches, okay.
Brandon Ellis 35:20
Your definitions and all of that. So if it's known, they would grab it, even though it's coming into your email. But if it's not known, then there's that caveat. The second thing is they may not grab it, they may go with the stance of Do not open an attachment from somebody you don't know who's sending it. Well, if you're, if you've sent it to yourself,
Beth Elliott 35:43
Yeah. Wouldn't it be safe?
Brandon Ellis 35:44
Wouldn't it be safe? So again, maybe I might be over overly concerned about some of this. I would love for an IT person or a cybersecurity expert to be part of this. Maybe one day, we can bring someone on. But certainly, if you're on that side, and you're like, Brandon, you're, you're just worrying over nothing. We got this, then leave us a comment. I'd love to talk with you more about it and learn more about your viewpoints on that. You know, at the end of the day, though, it comes down to one thing we talked about unplugging or disconnecting versus being online, that kind of stuff and how those vectors you're talking about the vectors of if you are unplugged, how do they come in? If you are protected, how do you still come in? It really comes down to a risk analysis. We'll talk a bit more about that. But one of the primary vectors that I'm seeing, and you know, I said this, I alluded to this in our last podcast, and in listening to it, I want to make a distinction. I use the term manufacturers for different things.
Beth Elliott 36:51
Yes.
Brandon Ellis 36:52
And so, there's a manufacturer just like elliTek, like our company that manufactures IoT and MES products. There's also manufacturers that use our products. And then I put it in the same as the first category manufacturers of IoT products. That can also be a machine builder, which elliTek also is but regionally but, but whether we're using elliTek products or someone else's products, and I'm not going to talk about specific IoT products, necessarily to target anybody but there are manufacturers of these products, they're being used by end-user manufacturers, that are manufacturing companies. Not manufacturers of the products, but manufacturers of cars, and, food and all this other kind of stuff that are using those products. And so I noticed that in the last podcast, I use an even in this interview, if when you read this, I'm sure everybody's gonna read this interview, go out and read it Food Engineering magazine. I said, and I'm going to quote myself, I think, if I can find where it is, I talked, no, I guess this I'm not looking at the right one I was talking about another vector being introduced by the 4G 5G cellular links.
Beth Elliott 38:18
That's right.
Brandon Ellis 38:19
And, and those links are being marketed. I'm going on a rant now because it makes me mad. They're being marketed and pushed by salespeople to the OT side of the primarily the OT side of the coin, operational technology, the engineering - my people, the engineering people, production engineers, to say, basically, your problem, we can give you this dashboard, this cloud-based dashboard and all this kind of stuff. Now, some industries, it's not a big deal. But in a lot of industries, IT has said "No" to cloud-based servers, or at least "No" to any cloud-based server that they are not managing somehow themselves. Remember cloud-based is on somebody else's server and hosted is on your server, at your location or a location you own. And by going cellular, from the OT from the operation of the plant floor, if you can get a cell signal, you can circumvent and go passed, bypass IT, and get to a server that that and I'm saying manufacturers as far as IoT product manufacturers, that the manufacturers of that 4G 5G thing has their cloud-based stuff and all that kind of thing. And I'm sure it's great.
Beth Elliott 39:43
But it's bypassing all the security, is it not?
Brandon Ellis 39:45
It's bypassing plant security, which means it's introducing a vector. Now I'm gonna go, I'm gonna go freestyle for just a second here. I assume it's still the largest but I believe the largest data breach in history was about three years ago, three or four years ago at Target. It affected. My wife loves Target. It affected us. It affected everybody who paid with some means of currency other than cash. So how did it happen? Well, Target, as I understand it, Target had all of their HVAC systems, for every Target across the United States I guess.
Beth Elliott 40:29
That's their heating and air, isn't it?
Brandon Ellis 40:31
Heating and ventilation, central air.
Beth Elliott 40:33
What does that have to do with
Brandon Ellis 40:35
Right. They had it all on a network and they had employed a company to monitor it for energy efficiency and stuff like that. Using their means, they would, kind of like a machine builder would do, they could remote in and see what's going on and make changes and adjust. I don't know. I'm not a HVAC person, but dampers and flows and static pressures. Whatever they're doing. They're managing the system and also monitoring it for maintenance for scheduled maintenance, and I'm sure for energy efficiency and things of that nature. So, there's that. Meanwhile, they have their cash register system, their point-of-sale system, which at the time had not been upgraded from Windows XP. But Windows XP had been basically support had been dropped by Microsoft. They had moved on. I don't know where we were but they had moved on. So we're probably well into Windows 7, unfortunately into 8, and then maybe even into 10. I guess we were.
Beth Elliott 41:34
Yeah, if it was three years ago.
Brandon Ellis 41:35
I can't remember how many ago it was. Time goes fast when you get old. But it was three to five years ago, let's say. The vector, as I understand it, was someone's computer, technician, or something like, or username and password somehow had gotten stolen. It was unknowingly stolen. And so that means that they. Who kept their cell phone on during the podcast, Beth?
Beth Elliott 42:02
I don't know. I didn't even bring mine in here.
Brandon Ellis 42:04
Yeah, I guess it's me then. Sorry guys. So, the username and password for the HVAC system somehow was taken. And so, they were able to get access into the network via that vector. That's HVAC. They started snooping around. They found Windows XP systems. They knew they were no longer supported. There's a lot of stuff online when something falls support that shows vulnerabilities. They knew of some vulnerabilities. They did some quick checking. You can probably use an ARP table or something like that to figure out that this is. I mean you can quickly say, look what's out there - what is it - what operating system - those kinds of things. And so, they figured out what was going on. They installed some kind of malware unknowingly, and they realized it was point of sale. So, I think that they did a small test at first and nothing was there to stop it and so they rolled it out. And for two, two to three months I think - every credit card swipe - every debit card swipe including pin numbers were being captured without anyone knowing. And why? Because of this HVAC deal. Now, I'm not saying guys - cancel all your HVAC contracts and your machine build contracts and all that kind of stuff. I'm just saying it's a vector. It presents a vector.
Beth Elliott 43:39
So, yeah. I was going to ask you about remote monitoring and how to keep - is there a way to keep remote monitoring safe?
Brandon Ellis 43:46
Well, safe is always relative. Secure is always relative. Actually, in that article, I think either our interview or the other article that went with it, I think I said that if anybody ever tells you that their system, their software, whatever it is is 100% secure - walk away. Because there is no infinitely secure thing - software or hardware. I just don't believe it. Even disconnected, we've shown that you can get in there. You may have to be onsight. So, how can you do remote monitoring and it remain secure? You know, I would say, make sure your IT folks are involved. I know that their philosophy and the philosophy of production and production engineering is not necessarily the same.
Beth Elliott 44:42
Yeah. Which leads me to the next thing about OT IT convergence. And how for the only way to possibly do digital transformation is to converge those two networks. But, is this the ideal solution?
Brandon Ellis 44:57
Well, I mean that sounds good on a marketing.
Beth Elliott 45:03
On a blog post.
Brandon Ellis 45:06
I mean it's convergence but you can't, I don't think it's required to converge. I think it comes down more to connecting. We talked about that again in the IoT. It's about connectivity. How can you do that securely? Converging, to me convergence is let's put everything, all your PLC and machine controls, let's make that and all of your MES, and your data management, and everything like that and let's stick it all on one box. That box could be a PC. That box could be a PLC. There's a lot of PLC manufacturers that are trying to communicate directly with the cloud and things of that nature. I think that's a risk. I think that is convergence and I think that you leave yourself no - you leave yourself no places to check to make sure this is alright. That something's not going on - something's not happening that shouldn't be happening. Whereas, connectivity, and I promise that this is not a sales pitch, but it's just what I believe that's why I designed it this way. Connectivity lets us have something in the middle that is able to see one network or see the other network but will keep it from propagating. So there's a point of stoppage.
Beth Elliott 46:17
So if you had a converged, the whole system is converged into one, there would be no -it could run rampant - the virus or malware could run rampant without any checks or balances?
Brandon Ellis 46:29
Yeah well, I guess that's a good way to put it. Yeah, that's a good way to put it. The question is is what does run rampant look like? This comes back to the risk analysis. People have asked me before and we've talked about this - Brandon, should we do cloud-based or not? And my response is - have you got anything, any data that's going to be going on that cloud that you don't care for other people to, maybe even hackers, to get - to get access to. If that data is highly sensitive, if it's intellectual property, if it's HIPA violation, if it's personal - you know social security numbers, drivers license numbers, all the stuff you don't want people just getting, then probably you should do that in a hosted way - have an IT department kind of managing that. Cloud-based is not, I don't feel like, as secure as an IT, someone qualified, IT-managed, hosted server.
Beth Elliott 47:31
Okay, so how can manufacturers connect their OT and IT securely?
Brandon Ellis 47:36
Use an IIoTA. The most successful implementations I've seen across, and this is not specifically with our products, there's other products out there and that's fine, there's other products out there. But despite that, I feel like ours is the best, the most successful implementations I've seen from a convergence, I guess you would say, but I don't want to say convergence that's a term I don't want to use, from an efficient data transfer standpoint and from a cyber secure standpoint, has been when those (and they're fairly rare) those rare occurrences where IT is sitting at the table along with production engineering and production management. And, they're all saying this is what's important to me and this is what I can do to help what's important to you be taken care of. And when they all work together, and they all decide this - the risk analysis - is a conversation. A lot of times risk analysis is the IT department telling you what you can't do and these are the rules and end of discussion. Or the IoT discussion on the data that we need is coming down from upstairs and just kind of you know being bull-horned through to both IT and engineering and saying figure it out, get it done, and it's not a collaboration. I think the collaboration makes all the difference.
Beth Elliott 49:16
Okay. So what cybersecurity advice can you offer manufacturers? And, something that maybe they can implement immediately? I mean, I think the discussion part might be the best way to go.
Brandon Ellis 49:27
Well, the first thing each department has its wants and its needs. So, what are your needs? And, let's just say wants as well, you know wants and needs. And then, what does that require? So if it's all production engineering wants these things for whatever reason or it could be IT's asking for these things because they need to tie it in with our ERP systems and things of that nature, they're being pushed for that, or management, in general, is needing all these things. To have those discussions. But then look at the data and perform a risk analysis, a round table risk analysis, to say I'm okay or we feel like this data is secure or this data is not secure, so this is how we need to go about doing that. Don't wait until after the fact. And if you want to do a cloud-based system, don't - a lot of the product manufacturing plants are encouraging - and this gets back to my rant - they're encouraging the production engineers, production management, and those guys to do this, knowing that they are trying to get them to circumvent IT, because they perceive IT as the problem. They're the ones with the rules. They're the ones that can't keep - well, hold on a second guys, we got a ransomware, crazy windfall going on right now. Are they the bad guys? No, they're not! We have to work with them if we're on the OT side or production engineering or production management side. It's very important. So, the risk analysis but also be very careful about jumping in with the 5G cellular deal, because that vector is only as strong - why did the HVAC password get put out - why did no one know that was happening. Because and then within your plant go ask your IT manager - Could something like that happen to us? If you had been the HVAC/IT manager, would it have happened to you? And your IT manager's going to say "No way because I would have done this, this, and this". And, that's probably true. It just happened to be a miss. They missed it. They missed something. We've all missed stuff. And it got out and the vector happened and it could not be controlled by Target because Target did not manage that. They hired this company to do that. And then the crazy thing is they didn't do anything to the HVAC system. It was perfect. The efficiencies, the heat and air were working perfectly, but for the consumers that were going through and Target was - it was horrible. They knew it was horrible. They admitted it was horrible. They wished it hadn't have happened. If it can happen to Target
Beth Elliott 52:10
And that's a huge company. It just surprises me that it took a few months for somebody to even notice that they were poking around in there.
Brandon Ellis 52:22
And again, would Target's IT department have allowed it to happen? I don't know. They kind of did, but again it wasn't malware. It wasn't ransomware. It was malware but it was specific to their system because they got access. That access is possible because you get a vector. And that's the other thing. These IoT and product manufacturers or these remote monitoring product folks on the OT side - Oh, yeah, you can use our stuff to remote in and get logged on to the PLC and start making program changes.
Beth Elliott 52:52
Well, who has that login information?
Brandon Ellis 52:54
Who's controlling that? And so, those are the things that I think need. So let's go ahead and wrap up. We're rolling in just about to an hour. So, just a quick recap.
Beth Elliott 53:06
Well, first of all, can I give a big shout out and thank you to CSIA (Control System Integrators Association) and Food Engineering magazine for giving Brandon the opportunity to share his experiences and expertise. Thank you guys for that. So, let's do a quick recap of what we've gone over today.
Brandon Ellis 53:25
Well, let me plug that. That's Julie and Lisa we work with a lot and Wayne Labs over at Food Engineering.
Beth Elliott 53:37
They've all been fantastic.
Brandon Ellis 53:38
Yeah, yeah. So thank you very much for that opportunity, guys. And, CSIA, hey, if you're hiring a systems integrator and they're not a member of CSIA, you need to ask yourself is this the ones I need to go with? Because they're a top-notch organization. Their members are top-notch as well. So, IoT - what was the title again you gave us? Industrial Automation - It Doesn't Have To... Be Unsecure. So yeah, just the security. I really appreciate you talking about convergence. And we talked about convergence versus connectivity, that's a big deal.
Beth Elliott 54:14
Risk analysis.
Brandon Ellis 54:14
Risk analysis. Yeah, and then just converse. Converse - Communicate.
Beth Elliott 54:21
Yeah, bring everybody to the table that's involved in it. Alright. So, I think what we want to do is, we're gonna have these every other week. So, this will come out on October 13th.
Brandon Ellis 54:36
Is that next Tuesday?
Beth Elliott 54:37
Yeah, and then, we'll have one not that following week but the week after that. So, I really would appreciate some people if you would, have some questions about anything industrial automation related just to comment. Send us comments wherever you can. What do you gotta say there, Brandon?
Brandon Ellis 54:57
Well, I think - we'd like to hear - I'd like to hear some things that are important to you all. We talked about a lot of topics and we've done a good job and we've got plenty of topics to go through coming up on the other stuff. But if you have a particular item or topic that you would like to hear us discuss, believe me, if I don't know, I'm going to tell you, I'm not the guy to talk to and we won't waste your time with that. But if we, if I have some experiences in that just having done this for a long time, and I'm always open to sharing my opinions as well, then certainly we would love to hear those ideas. There's a lot of fantastic stuff. I don't want to discourage anybody because of cybersecurity concerns to not go for digitization and digitalization in your plants. Because that is the future and we want - especially the customers we work with - we want to make sure that they continue to succeed. That they're empowered in what they do, because that just brings about more jobs, more productivity, more profitability and that just helps us all. It keeps us as a nation moving forward. So, please reach out to us and start the conversation. What's the best way to reach out to us, Beth?
Beth Elliott 56:14
I think phone would be good, 865-409-1555.
Brandon Ellis 56:20
Right, but we have our Facebook page.
Beth Elliott 56:23
We do, elliTek. e - l - l - i - t - e - k. And then we've got Twitter, I think that's elliTek_Inc and then LinkedIn page.
Brandon Ellis 56:34
And Instagram. Which I'm no good at. But yeah, LinkedIn, Facebook, Twitter, and Instagram reach out to us. We'd love to talk to you and certainly the same goes for the topics on that if you want to use one of those medias or call us - tell us Hey, this is the topic we want to use. So, thank you very much, Beth.
Beth Elliott 56:53
Thank you, Brandon. I hope you have a blessed afternoon.
Brandon Ellis 56:57
Thank you very much. See ya guys.
Transcribed by https://otter.ai