What happened with Colonial Pipeline and could it have been prevented?

This episode isn't a dig at Colonial Pipeline. It's a cautionary tale for businesses, and their cybersecurity preparedness efforts.

The reason Colonial shut down their pipeline was they were uncertain.

They were unsure what systems were going to be affected over and above the accounting systems. They lacked confidence in the separation of their Business/IT Networks and their Operational Technology (OT) Networks.

Listen to hear a simple solution!

We discuss the philosophical conflict between IT and OT and the marriage between the two. Both play important roles. We applaud each.

This episode is dedicated to the hard working IT professionals who we only think about when something isn't working properly.

Learn how a Supervisory Control and Data Acquisition (SCADA) system works. Yes, there are problems with OPC. We overcome those problems with Native Drivers.

People use elliTek's IIoTA™ MES platform for many reasons. For brevity sake, we talk about just two of the reasons in this episode.

Native Drivers
Separation of the Networks

Discover how a SCADA system and an IIoTA™ MES platform can work together.

Learn the differences between an appliance and a Windows PC and why that is important. Why is Windows the problem?

Stay tuned to hear some basic things that businesses can do to protect themselves and their customers data.

We quote Kiersten E. Todt, managing director of the nonprofit Cyber Readiness Institute. Her insights are spot-on! Here's the link to her quotes in the New York Times article. The Cyber Readiness Institute offers free, online programs to help SMBs protect themselves from cyber risks.

Cybersecurity doesn't have to be complicated! Reach out for a FREE online demo, FreeDemo@elliTek.com.

Let's get to know each other! Connect with elliTek on your social platforms.

LinkedIn: www.linkedin.com/company/ellitek-inc
Instagram: www.instagram.com/ellitek
Facebook: www.facebook.com/ellitek
Twitter: www.twitter.com/elliTek_Inc/media

Listen on

Apple Podcasts Spotify Amazon Music Podcast Index Overcast Stitcher +

Share Episode

Share on Facebook Share on Twitter Share on LinkedIn

Native Drivers
Separation of the Networks

LinkedIn: www.linkedin.com/company/ellitek-inc
Instagram: www.instagram.com/ellitek
Facebook: www.facebook.com/ellitek
Twitter: www.twitter.com/elliTek_Inc/media

Brandon Ellis 0:00

Hello everyone. This is Brandon Ellis with "Industrial Automation - It Doesn't Have To...", and I am here with Miss Beth Elliot. Hello, Beth.

Beth Elliott 0:06

Hey Brandon, how are you?

Brandon Ellis 0:08

I'm good. I'm good. How are you?

Beth Elliott 0:09

I'm doing good. What is today's topic?

Brandon Ellis 0:12

Today's topic is cybersecurity. So, join us. Hello, everybody and welcome to "Industrial Automation - It Doesn't Have To...". In case you're new, I'm Brandon Ellis, I'm your host and also the owner of elliTek. As we jump into today's episode, I just want to ask you to hit that follow button and Subscribe Button depending on the platform that you're listening on. And if you're listening on Apple podcast, and you enjoy what you hear today, please go to the Show page, scroll to the bottom and leave the podcast a five-star rating and review. Now that we've got the marketing out of the way, I want to say thanks for tuning in. So, let's get started with today's episode. All right, we're back. Hey, guys, this is Brandon again with elliTek, the owner of elliTek, and also the host of "Industrial Automation - It Doesn't Have To...". And I am here again with Beth Elliott, our marketing manager.

Beth Elliott 1:04

Hey, everybody, hope you're having a great day.

Brandon Ellis 1:07

Yeah. So, Beth, all kinds of things have been going on?

Beth Elliott 1:11

Oh, my word. Yes.

Brandon Ellis 1:12

You have in past podcasts asked me about what's going on in the world. Let me ask you what's going on in the world?

Beth Elliott 1:19

Well, I'm excited that we have a new employee at elliTek.

Brandon Ellis 1:22

Exactly. So, Shawn Lyness, we're tickled to have Shawn on our team. He's one of our outside sales engineers. And so both he and Allison will be out there talking to folks and doing all kinds of things. So, if you all need anything, give, give them one of them a call. And they would love to talk with you about anything from robots to motion to machine condition monitoring, to data to IoT. So certainly, give us a call for those kinds of things. elliTek 865-409-1555.

Beth Elliott 1:54

That's right. And I'm also excited about that Smart Conditioning Monitoring System that we talked about last time

Brandon Ellis 2:02

Right

Beth Elliott 2:02

with Balluff and the IIoTA.

Brandon Ellis 2:04

Our last podcast was on condition monitoring. And so that spurred because of our first of all, there's a lot of hype about machine condition monitoring. That's, that's where we're doing specifically, or at least currently, specifically for predictive maintenance type types of systems is to monitor, not necessarily change, but monitor a system to watch for profiles and trends to say that something's about to happen. And try to predict that from a maintenance standpoint. And so yeah, with our IIoTA, and also in our partnership with Balluff, we have been using their condition monitoring systems and have put together a really slick package that gives visualization of the data, from charts to gauges to text fields, actually, that can be we pre-build one for customers to look at and utilize, even copy. It's included with our IIoTA product. But yeah, we allow them to make modifications to that drag and drop type thing, but and certainly our engineers can assist with that. And our integration group can provide services to get that set up from a turnkey standpoint. So, again, that's specifically utilizing the Balluff line of condition monitoring sensors. And it's a really, really slick thing. So, if you haven't had a chance to listen to our Condition Monitoring podcast, you know, take a zip back on your, look one episode back from this one, and you'll see it.

Beth Elliott 3:36

That's right. That's right. And when you've been going out and visiting customers and stuff, you've been hearing a lot about labor shortages, haven't you?

Brandon Ellis 3:45

We are, you know, we are in it, we're in the throes of coming out of which is a great thing, but coming out of the pandemic, but in doing so at least in the United States. But I think globally, there is a large labor shortage that's being realized. And so, I was actually talking to a customer just the other day, who stated that they have multiple and we're talking about more than 100 job openings and zero applications. Now these are these are your, you know, your unskilled labor type, line type work jobs, I would assume, not probably not all of them, but some of them. But it's really, really concerning to not even have applications for employment. And so, everyone's trying to, it's kind of thrown manufacturing off and thrown the whole industry off. But also, industrial manufacturing, as to why we're having this labor shortage. And then and then what can we do about it?

Beth Elliott 4:47

Well, we'll cover that in another episode.

Brandon Ellis 4:49

That's right. I definitely think that's a that's a, you know, we try to stay, for our audience, try to stay in line with current events and that's something that's really happening. And so, I do think that that might be maybe even our next podcast topic. So, stay tuned for that one. If you have and then if you honestly, reach out to us about that, specifically, I'd like to hear some feedback as, you know, if you're in manufacturing, and you know, what are you dealing with? What are you seeing? Are you seeing and what's your region, geographical region? You know, are you in the US? Are you outside of the US within the US in the Midwest and the West Coast, East Coast? Just so I think it's good for everyone to kind of know what everyone else is dealing with.

Beth Elliott 5:37

Yeah, so we can gauge where, you know, is it just in the southeast? Or is it all over?

Brandon Ellis 5:42

Yeah. And, and because if there's, you know, if someone else is getting it right, in the North, Northwestern United States, let's, you know, I'd love to share something, some morsels that people in the Southeast can certainly benefit from so. So that that would be a good, empowering type of topic. So, I think that's going to be coming soon.

Beth Elliott 6:03

Absolutely. Yeah. Yeah.

Brandon Ellis 6:05

But for today's title,

Beth Elliott 6:07

Yes. Oh, yes. Today's title is "Industrial Automation - It Doesn't Have To... Be Like Colonial Pipeline".

Brandon Ellis 6:19

Let's see, which one is it? Yeah, well, look, we're not throwing, not throwing shade at Colonial Pipeline. But they have been in the news quite a lot since I think I first heard about it on May 7, that was a Friday, that they and I'm not sure that's the date of the event. But that's when they, at least as far as the media is concerned, that's when they announced or released a statement that they had been hacked. And that's a that's a, that's a horrible thing. Now, we've learned more about it up till now. And we want to discuss that. But yeah, that that really brings about a spotlight on cybersecurity, a topic that we have talked about a few other times, and we're not trying to, you know, keep returning to the same thing. But again, current events are what they are. And we've gotten a lot of conversations, I've had a lot of folks reach out to me about what do you think about this in terms of industrial manufacturing customers and their cybersecurity requirements and how our products can help and those kind of things. I guess, at the end of the day, if in whatever industry you're in, but specifically in industrial manufacturing, and also, you know, any of the major infrastructure type segments in the United States, be it be it pipelines, you know, fueling oil and gas, be it wastewater and freshwater, those kind of things. I mean, the electrical utilities, that there's always been a concern, there's always been some media surrounding how in the United States, how secure are we? Because you know, and honestly, I think that that's also true with cellular, we, we actually had a small experience some years ago, it's probably been seven or eight years ago now. It wasn't a terrorist event. It wasn't a hack, but it's actually poor, poor, poor construction company that accidentally dug through a major fiber cable that was underground. And it supported. I can't remember if it was AT&T, or Verizon or whatever. But it basically it was a major trunk line for their cell systems. And, and it took multiple states down because everything tried to shift, and it was awful. It closed airports.

Beth Elliott 8:39

Goodness, I don't remember that.

Brandon Ellis 8:41

Yeah, it closed airports, I mean even over here in eastern Tennessee, we couldn't get calls out, you know, it was, it was just it just overwhelmed the entire system. And so that was not a hack in any way, shape, or form. But it's an example of if something and a hack could be part of that. If something is able to take out a major infrastructure, piece of infrastructure, boy it can really throw everything on it on its head.

Beth Elliott 9:08

Well, yeah.

Brandon Ellis 9:09

And so, the Colonial Pipeline, occurrence, certainly shined a spotlight on that as far as preparedness, and then what do you do on after the fact and the steps that they took. And so if, if, if you're in industrial manufacturing specifically or any kind of infrastructure, if you're an IT network, engineer or professional or even the plant president, manager, whatever and you're not stepping back, and really taking a look at your cybersecurity, and just doing a risk analysis to kind of review where things are trainings for your employees and things of that nature. You need to. It's a serious thing and it's not. It's a risk assessment. It's not all ending but we have said this I have said this in the past. We are very comfortable with a lot of security, you know, easing security.

Beth Elliott 10:06

It's easy to get lax, you know, and just go cuz you're going on your day-to-day stuff. And you know, I mean, it's easy just to let it go.

Brandon Ellis 10:14

So, it's easy to put it in the cloud.

Beth Elliott 10:15

Yep.

Brandon Ellis 10:16

It's easy to do it via cellular. It's easy to bypass, you know, the, the IT office upstairs. I mean, it's, it's easy to do those things. It's easy to put in, you know, everybody's pushing for these, these VPN type of remote. You know, machine builders and manufacturers just stick this on the machine, and you can remote in from anywhere. But how much security is applied to that? And nothing is totally secure.

Beth Elliott 10:41

No.

Brandon Ellis 10:42

So, this is a this is a good a good topic, I think, for us to discuss.

Beth Elliott 10:47

Yeah. So, I was surprised that the goal for the Colonial Pipeline cyberattack, it was to hold their corporate data for ransom. It wasn't to

Brandon Ellis 10:59

Shut down everything.

Beth Elliott 10:59

Yeah

Brandon Ellis 11:01

That's right. The reason that everything got shut down, and again, I'm not sitting here saying this is breaking news. I've talked to the President of Colonial Pipeline. This is just what I've read also in the media, and so take it with a grain of salt, but I think this is fairly accurate, that, that what they found after the fact. You know, they were ransomed, they had a ransomware attack. And so, what that means is, is that somehow this, this group, this hacking group, and I don't know that I don't know, if the people that claim it are really the people that claim it, I'm not gonna do them the service of even mentioning their name, but the group that that supposedly hacked them, or did hack them. We're not sure how they got in what the vector was. I don't think anybody's really, there's been speculation, but nobody really knows. But the fact is, they got in, they had been in for some time, kind of snooping around all the systems. And apparently, their, their IT infrastructure between IT and OT, was common, it was unified. And so, all of the OT type systems were also part of the IT based systems, which includes the accounting department, the ERP systems, and things of that nature. But also in their case, fuel and gas, I would guess a lot of SCADA systems which are typically PC based SCADA, Supervisory Control and Data Acquisition. Now in infrastructure, the control is very much used. And so, if you can gain access to a SCADA system, you can actually change and manipulate the controllers on the machines and, and even some of the smart devices and things of that nature. And so, you can do those kind of things. So, it's just a deal.

Beth Elliott 12:48

Is it easy to access? Or does it depend on the security of the IT, how they set up their security for their SCADA system?

Brandon Ellis 12:56

Well, in my experience IT is not really involved with the SCADA stuff, because SCADA is the software that's running on an IT asset, which is typically a Windows PC. So, the IT network security comes into who gets to get access to that PC, and who doesn't from the outside world. And so, they're, they're doing their IT grade of, you know, firewalls and managed switches and things of that nature, I'm sure to, and credentials, user credentials, and things of that nature. It's easy to get lax, you made that statement earlier. And when we get on the IT, on the OT side of things and typically SCADA systems. Remember, SCADA systems is what we were doing that led to the invention of our Data Commander MES gateway appliance, which is now called our IIoTA MES gateway appliance, just because it grew up a little bit. But that was because of this, it really revealed to me the conflict between IT and OT, and it's a philosophical conflict between really security. Because IT folks, their jobs, their whole, a large part of their job is not just handing out IP addresses and making sure they're not duplicated and fixing your email. Their job is to ensure security on all of the PC assets throughout and the network components throughout the organization that they're in charge of. If unfortunately, I would guess that someone at Colonial Pipeline probably lost their job because of this or will because a cybersecurity attack occurred on their watch. That's what they're judged by. They're not judged by from industrial manufacturing back on, you know, in that topic in that in that that segment, and industrial manufacturing, IT is not typically judged by how good production is, how many good parts or bad parts, how the machines are running, how much are they making the trucks that kind of stuff. They're judged by nothing should have a cyberattack, you know, viruses, malware, phishing attacks that that should be, we have to stop that at the front door. It's an extremely important job and role. Now on, excuse me, on the other side, though, the OT side, the SCADA software is typically an engineering, you know, owned by engineering.

Beth Elliott 13:12

Okay, it's an engineering asset.

Brandon Ellis 15:21

But it has to run on a Windows environment, so the conflict now comes into play. Because from an engineering aspect, when we be it a machine or, or it's a little different for infrastructure, but still, once you have a pump station working and things of that nature, you really don't want to change it. And so, we would prefer don't change once it's working, you know.

Beth Elliott 15:42

Leave it.

Brandon Ellis 15:42

It's not broken, don't fix it.

Beth Elliott 15:44

That's right.

Brandon Ellis 15:45

IT has to have a different philosophy. Because the cyber requirements, cybersecurity requirements are changing so, so fast. And it's I mean, when you update your virus software, when your PC virus software at home, at the office, wherever says, it’s time for an update, that does not mean, we figured something out about a virus before it occurred. That means someone was infected with a new virus, and we now have a shield against it, so we need to, you need to update. Otherwise, I mean, it's just like a vaccine. Otherwise, you may catch it, so to speak. And so, we, the whole virus and malware thing is a reactive industry. It's not a proactive industry. Now, when we start looking at vulnerabilities, such as Windows operating system vulnerabilities and stuff, and Windows is always sending out patches and updates for that. That's that, that they try to be more proactive, instead of reactive. But sometimes it is a result of a is more of a reaction than being proactive. Because if someone managed to, you know, utilize a vulnerability, then it brings it to light, versus sometimes their engineers figure out, hey, this could be used in this way, so we're going to patch it proactively. So, it kind of jumps back and forth. But that's more on the IT side of things. On the OT side of things, there's not much because they don't get judged by security.

Beth Elliott 17:15

They get judged by how much they put out.

Brandon Ellis 17:17

How much production and are the machines running, and do we have all the, you know, all the production data and the traceability data and all that kind of stuff. And so, it's, it's, it's a marriage between the two between OT and IT. But it's a philosophically different marriage, where OT says, once it's working, don't, don't bother it, and IT says, If I can update it every minute, I'd like to. And so, each one has very important roles. And then unfortunately, many of us engineers, and I remember times when I was cool with it, it's easier just to leave the default username and password set, you know, from the factory that we don't have to remember them, or maintenance does have to remember them. You don't get calls in the middle of the night, what's this username and password? You know, those kind of things, instead of actually instilling a, an actual credential based security. Our IIoTA allows for credentials. Our IIoTA if you, there's no back door on purpose from our IIoTA, so if you set a new administrative password, username and password, and you forget it, the only thing we can do is ship it back to us, and we'll reflash it. And of course, the new ones, we can probably reflash them in the field now, but the developers have come up with new stuff on that. But it's your you're not going to it's going to be put back to factory new. And that's not what a lot of customers want to hear. But security is security, and if there's a backdoor it's not secure. And so that's, that's as serious as we take it, but it comes down to isolation and things of that nature. But in their case, the office systems as we understand the office, they were there for a while they were snooping around. They saw evidence, smarter people than I, that, you know, as they're looking through it, they found evidence that they had been even down on the OT side. But they ransomed I think the computers more in the accounting department. Which makes sense because that from any industry organization, you know, if you can, if you can lock up accounting, then your if your goal is to get a ransom, then then you would think that's where they would shoot. And so, they locked up the accounting and billing systems, I believe. The OT side of things, what resulted from all that was and some of that was social media blitz of you know, everybody better run out and buy gas now. So, it kind of amplified the issue, kind of like toilet paper back during the pandemic. But so, we in the southeast and across the eastern seaboard, expressed a lot of experienced a lot of fuel shortages, gas stations were running out of fuel, things of that nature. Now, was that Colonial's fault? They did shut down the pipeline for a few days. It's my understanding is it's back up and running now. But I don't think that I think, had everybody just continued to live normally, which is what they were trying to urge everybody to do. And a buddy of mine sent a picture to me of someone at a gas station putting gasoline in like a tote, like you get from Walmart, like a, you know, like a tote, you know, just the storage tote.

Beth Elliott 20:29

Oh, goodness, gracious.

Brandon Ellis 20:30

Which is, do not do that. Gasoline containers are built to house gasoline for a number of reasons. First of all, gasoline will eat through some plastics. Number two, you are creating, you know, a potential fire-bomb. And second of all, it's not sealed at all, if you're gonna stick that in the back of your vehicle and drive with it, you're gonna die potentially don't do that stuff. But nevertheless, that's the kind of thing that was going on. And that, that I blame social media on, and you know, the frenzy that comes with that. But, but how much of that was Colonial Pipelines, you know, issue, I don't think as much of that. But what they did was they shut down their pipeline, because they were uncertain. And that points toward a lack of preparedness, as far as a cybersecurity kind of deal. So, the fact that they had to shut it down because they were unsure what systems were going to be affected over and above the accounting systems means they lacked some basic fundamentals on their what I consider basic fundamentals on their cybersecurity architecture.

Beth Elliott 21:39

Yeah. And I think that would be what the separation of the networks, right, yeah.

Brandon Ellis 21:44

And so that's what our IIoTA does. Now SCADA systems are a little different, because you have to have that control, they have to end that C letter. We have customers that use our IIoTA beneath a SCADA system to give separation and feed data to the to the SCADA system for data acquisition. But if they're having to do control, that needs to be handled on a different way. Now, we are not a SCADA system, our IIoTA. We are a gateway. We can do mashups of data. But it's meant to move data, transfer data front to back. A SCADA system can, you know, has that capability to a point. It just doesn't support all the communications like we do. And so, a lot of folks will use an IIoTA beneath their SCADA system, because we talk to a lot, a lot of things, including legacy items, and a lot of the newer SCADA software's, they have an OPC client, and that's about it.

Beth Elliott 22:35

Oh, they couldn't talk to all the machines.

Brandon Ellis 22:37

That's right. And OPC, as you remember, is OLE for process control is what it was traditionally called. We joke about Oh, Please Connect. But it's basically again, if Beth, you spoke English, and I spoke Japanese, and I didn't want to learn English, and you didn't want to learn Japanese, but we both agreed that we were going to learn French, then if there's not a French word for my Japanese word, you just don't get to have that word. And if there's not, same thing, if there's not an English, French word for the English word that you're saying, then then we just don't get that, so our vocabulary is reduced.

Beth Elliott 23:16

Does that mean the data is reduced?

Brandon Ellis 23:17

Well, it may say that the, it certainly can mean that wherever the data is located within the controller is reduced, as far as your accesses to those areas. And so, a lot of times data is written in different places, different types of, of addresses, or address locations, or tag types and things of that nature. And you can't, it's up to the manufacturer, to make those available over OPC. And what you end up having to do is, is typically install another software,

Beth Elliott 23:50

Oh, my goodness.

Brandon Ellis 23:51

That converts the native from the native language of the controller to this OPC. So basically, you're installing this French software that takes your English words and turns them into French and takes my Japanese then I have one that takes my Japanese words and turns them into French. And then it kind of goes from there. And so, and vice versa, of course. So, we have multiple layers of software that's running to try and do this translation. And so, a lot of manufacturers would, you know, they they're not going to translate every word or every location, every address. Our product uses native drivers. We've said that before, which means we would, we would be even though I speak Japanese when I talk to you, you hear English. And every English word is in the vocabulary.

Beth Elliott 24:39

It's like when, like at the UN, and they have those things in their ears.

Brandon Ellis 24:44

When someone's translating.

Beth Elliott 24:45

Yeah, okay.

Brandon Ellis 24:46

But ours is a bit more than a translation because we actually natively speak both Japanese and English. So, if I was capable of speaking English, it wouldn't matter what other languages that I speak; you and I would talk English, and there wouldn't be a word between us that that doesn't translate. And that's the concept of a native driver. And so, a lot of customers, a lot of end users will use our, our IIoTA for that reason, because beneath a SCADA system where they need, you know, the SCADA system is the norm. We don't see that as, see them as much in industrial manufacturing from my perspective, but certainly in infrastructure. SCADA systems have been an infrastructure forever. So, then the second reason that a lot of folks like to use our IIoTA is separation between the networks, because of our hardened gateway design. It gives a lot more, a lot more secure separation or isolation between those two networks.

Beth Elliott 25:42

Oh, it's like you said last, in the last episode going into the room, and nothing there, even if you were able to get through the door.

Brandon Ellis 25:51

And so, but the IIoTA is an MES gateway appliance and appliance is particular, because it's, it runs on our own kernel; it's not a Windows based deal. It's, it's built to be that and nothing else. So, from a cybersecurity standpoint, a Windows PC, what makes Windows so great, is that it can be something to everyone. What makes it a nightmare, from a cyber security standpoint, is that it can be something for everyone. And everyone includes hackers. And so, you know, I've said before, you know, from a local attack standpoint, if you hook something, plug something into a USB port on a Windows machine, all you have to do is convince it that it's a mouse or a smartphone or something like that, and it'll gladly give it access to resources. But and then you can shut that down, but that's not the default settings. You know, you have to be a network engineer, basically, to know. You have to know Windows. You have to be an IT professional to go in and really say we're not, we're going to shut down these USB ports; we're going to limit what they do and what they can access and stuff. That's not how Windows comes out of the box. And so, Windows comes out of the box wanting to be something for everything and be totally automatic. That's why you can buy a new wireless mouse and plug it into the USB port, and it says wireless mouse found downloading drivers now, enabled. Well, how does? How does Windows really know that that was really a wireless mouse?

Beth Elliott 27:22

I always thought it was magic.

Brandon Ellis 27:25

So, magic. So yeah, we sell magic here. So, these are things that are very real and very involved. But let's move ahead.

Beth Elliott 27:39

Okay. So, what are some basic things that businesses can do to protect themselves and their customers data?

Brandon Ellis 27:46

You know, I was talking to. I was talking to a customer just the other day, and I'm not. I see the point of it, but at the same time, I wonder how the level of effectiveness. But I thought it was very clever. And maybe more IT professionals are doing this now. I haven't experienced that myself. But a larger company, right.

Beth Elliott 28:07

Okay.

Brandon Ellis 28:08

The IT folks will create their own faux phishing messages and send them out. And if you, if you go for it, if you take the bait

Beth Elliott 28:21

Oh, you get on your record a little nick.

Brandon Ellis 28:24

You're required to do a training.

Beth Elliott 28:25

Of course.

Brandon Ellis 28:27

And it's genius. But at the same time, the conversation was about when you started getting, you know, outside of folks that are IT savvy, their training schedule was full. Because, and it was online training, so all the employees were suddenly having to spend, you know, the next weeks in training, because

Beth Elliott 28:48

And no work was getting done.

Brandon Ellis 28:49

No works getting done. But that also is a testament to how much of a need that is and how much of. So, phishing

Beth Elliott 29:00

Yes

Brandon Ellis 29:01

Phishing emails. And you and I were just talking this morning about one you got that

Beth Elliott 29:06

From you apparently.

Brandon Ellis 29:08

From me.

Beth Elliott 29:08

Yeah

Brandon Ellis 29:09

Of course, it wasn't me. And you had the wherewithal to check the return, you know, the reply to addresses. And of course, if it's a, if it's an attachment, even if it says PDF in the title of the attachment, but it's an HTML or HTM, HTM file, or anything odd, don't click it, right. America don't click on those things. And if it's a link, click here, you know, think twice before you just if it's in an email, and there's a link. We don't even, of course, ISO, our ISO requirements say that, you know, we can't link to another file internally because it can create the potential of a duplicate file, which if it's a control document, we can't do. So, we have our own internal reasons for not sending links to each other. But don't send links to each other. You know, copy the path and paste it in and put it on the company server, and say, here's where it is in this directory when you're at work, at your desk, you can click through to this. Don't, don't throw it on a Dropbox link or a OneDrive link or something. I mean, unless you are using that stuff and like it, but you need to know what you're doing. You need to know. Everybody needs to be educated. But now all of a sudden, if you got, you know, 500 employees, 1000 employees, 3000 employees, something like that.

Beth Elliott 30:25

That's a lot to manage.

Brandon Ellis 30:26

Yeah, I'll tell you, IT, IT

Beth Elliott 30:30

They have their hands full.

Brandon Ellis 30:31

They have their hands full. And, and my heart goes out to them, because it's a hard job. Because honestly, the only time we think of them

Beth Elliott 30:39

Something wrong

Brandon Ellis 30:40

Is when something's wrong, and we're mad. Our emails not working, my phones, my voicemails messed up. I mean, that's the only reason we call them. You know, everybody should reach out. If your phone is working, your emails working, you're getting this stream, and you're happy with everything right now, because you're not even thinking about your IT person.

Beth Elliott 30:57

Thank them.

Brandon Ellis 30:58

Send them a text that says thanks that I'm not thinking about you. Because they don't get that. They their lives is not a

Beth Elliott 31:05

It's a thankless, thankless job.

Brandon Ellis 31:10

Yeah, passwords. That's, that's another thing. So, passwords, I promise, this has been a conversation back and forth, there's not a good answer. There's not a good balance, maybe there is. But most IT professionals will make it so that on your computer, at the very least you have to change your password every so often. And then they'll require and of course, a lot of times they adapt, they adopt the Microsoft password requirements, which means symbols and capitals, lowercase, uppercase, numbers, and that kind of stuff, so many characters, those kind of things. And that's a good practice. But if it's too hard for folks, what's the first thing they do?

Beth Elliott 31:46

It's just going to be something easy for them to remember. Password.

Brandon Ellis 31:50

Or they take a post a note

Beth Elliott 31:52

Oh, yes, and stick it on their computer.

Brandon Ellis 31:54

Or they stick it in their desk drawer. Some. I mean, it's like locking your house down with the best locks in the world and then sticking the key under the mat at the front door, you know. The first place to look is under the mat. Right? Number two under the flowerpot, you know, that kind of thing. If you're gonna leave those things out, you know, it just happens. And so, you know, they face a hard, hard, hard task on that stuff. So, passwords need to be secure, they do need to be changed. You know, the question is How often?

Beth Elliott 32:26

Yeah, how often do you think?

Brandon Ellis 32:28

You know, I change mine all the time because I forget them.

Beth Elliott 32:31

Okay. I hear you.

Brandon Ellis 32:37

And then, and then I'm forced to, you know, you used that password before use something else. And so, I come up with something else and get in and do my thing and then a week later, I can't remember. And so, I've got more forgotten password links than probably anything, you know, a lot of stuff. But yeah, my passwords change quite often more so than probably necessary. But that's because my memory is horrible. I don't know, I don't know what's reasonable. I would love to hear an IT person comment on that.

Beth Elliott 33:08

Yeah,

Brandon Ellis 33:09

I know. I know, we're lazy, generally lazy, at least, especially in this United States, we tend to be lax and lazy when it comes to stuff like that. You know, that's the reason why the most popular password is password1234, you know, that kind of stuff with a capital P. If that's your password change it.

Beth Elliott 33:27

Please

Brandon Ellis 33:28

Yeah. Yeah. So, I don't know, I don't. If you haven't changed it all the time, then, you know, there you go. But even the I forgot my password stuff, you still have to have credentials on that to get it, which is absolutely necessary. You know, Apple started all the face recognition with their phones, and their iOS’s. You know, Android with the phones, they do the fingerprint stuff. And then there's computers, you know, even a lot of the computer manufacturers have done fingerprint scans. The only problem is that after a while, what if your fingerprint reader stops, so you got to have a back door.

Beth Elliott 34:06

Oh, yeah. Oh

Brandon Ellis 34:07

And if you have the back door

Beth Elliott 34:08

Yeah, there's your open vector there.

Brandon Ellis 34:11

That's right. I was on a panel some years ago in Anaheim, at the Medical Devices Manufacturers show. And one of the gentlemen there, I forgotten his name. He was extremely, extremely intelligent individual. But he made the statement that, you know, a lot of times with companies there, if there's, if there's six doors in the room, and five of them are locked super securely, but number six isn't. You might as well unlock the other five, because you have to get them all. And then my point to that was, but what about the number seven door that you didn't mention that we're not aware of yet? So, there's always it's from an IT standpoint, they're always having to look, look, look, look, look. And so, it's a tough job.

Beth Elliott 34:57

Yeah. What else should businesses be doing?

Brandon Ellis 35:00

You know, I mentioned, I mentioned USB sticks and sticking stuff in, you know, the mouse in the USB, those types of attacks are typically, I mean,

Beth Elliott 35:09

Those are insider jobs.

Brandon Ellis 35:10

Have to be inside. Yeah. But that that became a real issue for folks when folks were partially working remotely. Because they would go home, do some work there, USB stick, thumb drive, save their work, come back to the office, plug it in to their computer. And unbeknownst to them, their home security was not where it needed to be versus the plant security, and so something came in that way. So, software updates, software updates were a large reason why the Data Commander came to be. Because when we were installing SCADA systems, what would happen inevitably is, IT has to do their job to update the PC. And so, Windows updates, virus engine updates, firewall updates were a big one, malware updates, they go out and see if I don't, I don't know what this software is. So, I'm going to not allow it to run, I'm going to put it in, you know, in the sandbox, so to speak, or something like that. So a system would go from running perfectly, to suddenly not running because a communications layer was cut off based upon a firewall software update, or a Windows Update or something like that. And so, support just continued and continued and continued. And I became very frustrated, personally, and the costs were just through the roof. Because usually when you do a system, most manufacturers have in their, their work contracts, that you're going to support this system for free, for 12 months, 12-month minimum. So, if there's any issues, you have to respond within so many hours, and you know, you have to support it at no charge. Now, if you get there and find out they did something wrong, you know, we're not talking about that. But in this case, it just quit. So, when we got there, we would 99% of the time it was an update that was done by a push down update from IT that resulted in something that they're not responsible for SCADA, they don't need to make sure SCADA is working. And so, the question is, is who's responsible for that from a cost standpoint? Is that fall under standard support? Or does it is it a billable visit to the to the end user, and nobody wants to,

Beth Elliott 37:15

Nobody wants to pick up that bill.

Brandon Ellis 35:10

So, it's just all kinds of frustration from every level and all of it, each of it somewhat justified. And so that's where I realized the problem here is the Windows PC, the environment by which it's running. And so, by creating an appliance, the analogy you've heard me say, is like a toaster at home. If you buy a toaster, it, it toasts. You don't have to worry about coming home one day, and it's sending email or, you know, it’s washing dishes, or it's decided it's a refrigerator, it's only going to ever do toast and but, it's going to toast hopefully very, very well. Because that's what it's designed to do. It's not going to cool anything, it's not designed for that it's not gonna, you know, if you're changing the tire on your car, it's not going to act to hold the car up instead of a jack, you know, it's not designed for that. It's only designed to toast and that's what an appliance is. Even in the computer world, we refer to PCs, and then we refer to as appliances, which is an embedded, dedicated device. And that's what the that's what the IIoTA is. Now it's got a lot of capabilities that are the same that you get from a SCADA system running on a PC, or any type of data acquisition. But it's built into it. It's optimized for that. So, but yeah, I'm sorry, I jumped down a rabbit hole. That's where the software updates, it was that type of philosophical disagreement that caused us to create the data, caused me to look out to find other options, couldn't find any other options. So, we invented the Data Commander, and now it's called the IIoTA was because of that conflict. Outside of that, you know, there's what do you got here? You've written down the cyber readiness programs? So Cyber Readiness Institute? Yeah, they're, they're a nonprofit, right?

Beth Elliott 39:03

Yes. And they've got free programs for small and medium businesses, where they can they have kits, and that they can do their own little risk assessments and stuff like that. I haven't gone through the program or anything like that. But I thought it was interesting that it's free.

Brandon Ellis 39:18

That is interesting. And I'm familiar with Cyber Readiness Institute. And I can say the reason why that I'm familiar with them is because of a recent New York Times article that I read, and I brought to your attention, where they had had quoted had referenced the Cyber Readiness Institute. But a quoted individual, Kiersten Todt, I guess, is how you say Todt. So, Kiersten, I'm sorry, I got that wrong, but Managing Director of the nonprofit Cybersecurity Readiness Institute, and she had some very interesting quotes that I pointed out to you in the New York Times. Basically, it was a, from that same article in the New York Times, and I'm possibly paraphrasing here, but the point was that that Colonial that there's experts that say that Colonial wouldn't have had to shut down its pipeline if it had more confidence in the separation between its business network and its pipeline operations. Well, that is IT and OT, and it's that lack of confidence. So, getting back to what happened quickly, we were talking about that the fuel shortages and all that results, but what they did was they realized that the hackers had been around all the systems. They ransomed the accounting and billing systems. That's it. They didn't shut down anything else.

Beth Elliott 40:39

No, their goal wasn't to cause the chaos. The Chaos was

Brandon Ellis 40:43

Well, that's what they said. That that's what they said. But the interesting, they said they were shutting their servers down and all this kind of stuff. But Threat Post, who I follow on Twitter, a couple days later said not so fast, their servers aren't so shut down because Toshiba got hacked by the same group. The same people apparently hacked Toshiba, ransomed just a few days later. So, saying they didn't intend for all the chaos. If you're just in it for the money, that's not permissible. That's not, doesn't make it okay.

Beth Elliott 41:16

I'm not saying it was okay.

Brandon Ellis 41:20

But in Colonial's standpoint, they really didn't know how to, they know what was coming next. They're trying to figure out where all, where they had they been, what all did they do, and what's next. And so, they out of caution. And, you know, the knowledge that there was no separation between these two networks, and that they had gotten onto both networks. They chose to take as a safety measure, preventative measure to shut everything down. And so it wasn't that the ransomware shut down the pipeline. It only shut down the accounting systems, billing systems. But there was concern about, you know, is it just isolated to this system. And so, until they got a handle on that, and that's that, that's certainly an admirable way of handling that. I mean, it's a responsible way of handling it. The point of irresponsibility, and of course, they say hindsight is 2020, but had they had separation in place, and that's what the New York Times article is kind of saying is, at least these experts that they they're referencing, is that they have had they had that separation, they could have handled and managed the problem in accounting without shutting down operations otherwise. They could have kept going. And so that was the oversight. I think that they're coming from. But Kiersten said, Can I read her quote?

Beth Elliott 42:41

Sure, have at it.

Brandon Ellis 42:42

And this is this is her quote, from New York Times article. There should be absolutely, I'm sorry, let me get it right. "There should absolutely be separation between data management, and the actual operational operational technology. Not doing the basics is frankly, inexcusable for a company that carries 45% of the gas, gasoline, (I'll say that's what she means gasoline), but gas to the East Coast." And so Colonial Pipeline is a huge, huge, huge operator. They move all the fuel, you know, gasoline and diesel throughout pretty much most of the Eastern supply all the

Beth Elliott 43:19

It's from Texas to New Jersey, going 14 states.

Brandon Ellis 43:23

Yeah. And I didn't know, they went to Texas. Wow. I thought they were in Georgia, started in Georgia. That's interesting. So even further than the eastern seaboard. Yeah, they're big. They're a big deal. And so she was, she was thinking that they should have thought this through a little bit better.

Beth Elliott 43:39

I think they originally thought that they had the separation.

Brandon Ellis 43:42

Oh, did they? Well, everybody probably thinks.

Beth Elliott 43:45

They were probably sold a bill of goods.

Brandon Ellis 43:48

Well, yeah, there's the marketing part. Yeah, the sales part. Yeah, it's tough. It's tough. Honestly, and I've said this before nothing is impervious. Even though you may think it is, nothing is. And you know, cryptocurrency, Bitcoin, the whole deal. It's impervious, it's unhackable. You can't hack it.

Beth Elliott 44:10

I don't know about that now.

Brandon Ellis 44:11

And then about a month ago, one of the cryptocurrency vaults was hacked. And they took all kinds of Bitcoin. I mean, not just Bitcoin, but all the different cryptocurrencies, because this this vault is the go between it's necessary to basically be the exchange between different currencies. And so, it got hacked. Well, so I go back again to manufacturing. I've heard people say, yeah, we're doing condition monitoring, and it's a web-based system. It's cellular based, and it's goes to their cloud. Is their concerns about security? No, there's nothing else connected to that.

Beth Elliott 44:47

How do they know?

Brandon Ellis 44:48

Well, how did they know? They didn't, may have designed it to say nothing else is connected to it, but ultimately, they're coming down to condition monitoring system that's running on Ethernet IP network with a PLC. And all it takes is another cable connection into a switch. And suddenly it's part of another network.

Beth Elliott 45:04

Wow, it's that easy?

Brandon Ellis 45:05

It's that easy. I mean, you know, you just plug something in and plug something in inadvertently. I mean, nobody means to click on the phishing email. Right?

Beth Elliott 45:16

Yeah.

Brandon Ellis 45:16

So that's the stuff IT professionals are dealing with every day. And so yeah, I think there's perception, we're safe. But like, like the gentleman said, in that, in that panel, you can have all five doors locked up tight, secure, but if the number six door doesn't have a lock on it, you might as well forget it. Lock the front door. Do the safety, you know, the ironclad safety, you know, storm door, put a rock in front of it. But if you leave the window open, the side window open, then

Beth Elliott 45:48

It doesn't matter.

Brandon Ellis 45:49

What difference does all that make. So, it's an interesting thing.

Beth Elliott 45:53

So, I was reading that same article was saying that the analysts say installing uni, unidirectional gateways along the, their pipeline would be complicated and expensive. What are those gateways that they're talking about?

Brandon Ellis 46:09

I don't, I don't know exactly what they're talking about. I assume a uni, a unidirectional gateway means that you can move

Beth Elliott 46:15

it's just one way.

Brandon Ellis 46:17

Yeah, I guess it is one way. Uni being one. Bidirectional would be both. So, I would assume that, that that's what we're talking about, is, you know, with the IIoTA. If you're using it, a lot of, as a lot of customers do, so that it's unidirectional, especially. Moving data in one direction. But you have to be able to go bidirectionally in any type of a standard IoT system, especially a SCADA based system, because if you're doing control.

Beth Elliott 46:45

Okay

Brandon Ellis 46:46

So, I'm not real sure.

Beth Elliott 46:49

I should have asked you about this before.

Brandon Ellis 46:50

Well, I don't know. I mean, installing unidirectional gateways along 5500 miles of pipeline is complicated and expensive.

Beth Elliott 47:00

I could imagine.

Brandon Ellis 47:01

It's definitely got some expense. If it's an IIoTA, it's not complicated. Because again, it's hardware. Now if you have to go in and do those gateways and they're, and they're software-based security or managed switches, if they're talking about switches, gateway switches, and things of that nature. Yeah, you're gonna have to go in and basically program them and all this kind of stuff.

Beth Elliott 47:22

Oh, okay.

Brandon Ellis 47:23

Because it's software controlled. You know, with what's allowed to go here. And then port forwarding and all that kind of stuff. That's what we call a NAT addressable type firewall, and things of that nature, managed switches, what's allowed through, what's not, what can see, VLANs and things of that nature. Ours is not that. Ours is it separated. It's hardware separated and

Beth Elliott 47:44

Hardware separated with bidirectional communication.

Brandon Ellis 47:47

Yeah, so we can from our IIoTA, if we're, we're communicating natively, we can talk out either port and read and write from either port. But as far as the NIC chips they're not able to talk to the other one. So, they're totally isolated. And it's, we say hardware, meaning that it's physically, physically isolated. It's not a software isolation.

Beth Elliott 48:14

There are two ports on it.

Brandon Ellis 48:15

Two ports, physical, but even with two ports, it's not a software that's controlling the traffic between the two, it's hardware that's controlled, and that hardware is physically not connected to each other. And so, it is hardware based, and not software based. Software basically says, you know, shut your eyes Beth, there's two doors in this room, just believe me, you know, and so tell me what you want to go out the other door, and, and I'll take care of it, you know, so you don't get to see the doors. You just tell me, and you know, I'll tell you and, and, but then I'm going to manage where the information goes to. So, you know, that's the way devices are having you come in on port one, you may have be given access to port three, four, and five, but not you don't even know that six, seven and eight exist. That's controlled and set up with, with software on the chip level, doing things which network address translation, port forwarding, and all the things that IT folks set up on managed switches and, and when they're setting up VLANs, virtual LANs, virtual local area networks, that kind of stuff. And so that is all to be able to do that requires programming. If it requires programming, it's software. You can't change ours. It's not a programming thing. It's just physically that way. And that's it. And so, it's considered hardened versus, you know, a hardened gateway versus a firewall.

Beth Elliott 49:43

Okay, okay. Okay.

Brandon Ellis 49:45

And so that's the difference. And firewall means software.

Beth Elliott 49:47

Software based Okay, okay, I understand that.

Brandon Ellis 49:49

That kind of boils it down. So. So it doesn't have to be complicated. It doesn't have to be expensive on the IIoTA either because I think our IIoTA is fantastically priced. There is a cost though. And on 5500 miles, we'll cut you a discount. But I don't know how much that is, but I'm sure it's something that has to be budgeted and considered. But nevertheless, the goal of our, this podcast is not to sell IIoTA's, though IIoTA is a sponsor of today's podcast.

Beth Elliott 49:52

That's right. And it's not to throw shade at Colonial Pipeline. It's just to shine the light on there are we every business, we can't be lax in this at all.

Brandon Ellis 50:26

Well, look, if it can happen to Colonial Pipeline, then it can happen to anyone, and especially if you're a small to medium enterprise business, you know, let us help you with that. Now, we're not, we don't taut ourselves with cybersecurity experts, there are plenty of companies out there that are but if you're unsure, certainly we can have a discussion about it and give you our points of view. But certainly also, we can provide isolation between IT and OT, and then also do that in a non-complicated fashion, especially if there's PLCs involved robots, CNC controllers, and things of that nature and going up to upstairs database systems and the ERP systems. And so that stuff should be easy. And with our product it is, and I think it's the easiest out there. So certainly, give us a call about that.

Beth Elliott 51:10

That's right. And if you want to learn more about the IIoTA, that website is IIoTA.net.

Brandon Ellis 51:17

IIoTA.net. That's right.

Beth Elliott 51:20

And that means industrial,

Brandon Ellis 51:23

Industrial Internet of Things Appliance

Beth Elliott 51:25

I've written it down, typed it so many times, my mind just went blank.

Brandon Ellis 51:29

It's an acronym. So yeah, and certainly Colonial Pipeline, you know, my heart goes out to them and having to deal with this. Nobody wants to be the victim of any type of a cybersecurity deal. And so, but they're handling it and a lot of people kind of got upset by them, they're throwing shade at them, because they shut down the operational side, but they weren't sure. And, and it could have been a lot, lot worse if they hadn't and something had happened there. It could have been a lot more expensive as well. And I don't care who you are, when these kinds of things happen, not only is there going to be a cost increase, as we've been seeing down here on the eastern seaboard and eastern coast or eastern part of United States, gas prices have gone up. Now some of that's artificial because of the run-on gas. But it would have any time something like this, you're going to see an increasing in fuel costs, unfortunately. And that affects everything. We're already experiencing fuel shortages and supply chain issues, with food with electronics with everything, and you add fuel to that it's just, it's just a perfect storm. But had they not shut down, taken those steps, and those systems had been ransomed.

Beth Elliott 52:48

Could you imagine.

Brandon Ellis 52:49

That could have taken them down for months, I mean, honestly, months. In fact, while it's not, my understanding is you're never supposed to pay the ransom, they did pay the ransom, but the cypher they got didn't work, or was only working halfway. So, it certainly is not worth the money. But you know, they're just trying to do whatever they can do to keep America moving on the eastern, eastern side of the United States. And so, I applaud them for that and their efforts. But hopefully, they can get it pulled together quickly and get us back on the road.

Beth Elliott 53:21

That's right.

Brandon Ellis 53:22

So Colonial Pipeline. Good luck, guys. We're with you. Praying for you. And let us know if we can help in any way.

Beth Elliott 53:30

Absolutely.

Brandon Ellis 53:31

We're all in the trenches together. So, Beth?

Beth Elliott 53:34

Yes, Brandon,

Brandon Ellis 53:35

I think we should do a podcast on the labor shortage.

Beth Elliott 53:39

Yes, I agree. I think that'll be a timely topic.

Brandon Ellis 53:43

So guys, I want to thank you for keeping up with us, for keep keeping this the downloads, and the streams coming and going, and the comments, and the kind messages that we've received. And we're tickled to do this. We keep upgrading our podcasting room. It keeps looking nicer and nicer. We're, we're almost look like, like a recording studio. So hopefully, the quality of everything, at least how it sounds is good. Hopefully, you're enjoying it. So, I want to thank everybody for taking part of our podcasting and going forward. And thank you, Beth, for all the promotion and the stuff that you've done so well. So, I guess we'll wrap it up for today.

Beth Elliott 54:27

All right. If you want to reach out to us, give us a call at 865-409-1555. The website is elliTek.com.

Brandon Ellis 54:38

And the IIoTA website, IIoTA

Beth Elliott 54:42

dotnet

Brandon Ellis 54:43

dotnet.

Beth Elliott 54:44

That's right. That's right.

Brandon Ellis 54:45

And then we also have still, for those of you who know us with our Data Commander, there's also thedatacommander.com, thedatacommander.com.

Beth Elliott 54:54

That's got a lot of resources on it too.

Brandon Ellis 54:56

And that's where still a lot of resources are.

Beth Elliott 54:58

That apply to the IIoTA.

Brandon Ellis 54:59

That's right. So, the IIoTA is a next step or revision of the Data Commander. So, anything you see there in terms of resources, or how to videos and things of that nature certainly apply to the IIoTA. So, a lot of information there and certainly find us on Facebook, Twitter, Instagram and LinkedIn.

Beth Elliott 55:15

Yes. And we will put all those handles in the show notes.

Brandon Ellis 55:18

Perfect. Hey guys, thank you very much. Beth, say goodbye.

Beth Elliott 55:21

All right. Thank you for your time, Brandon. Thank you all for listening.

Brandon Ellis 55:24

See you guys.

Transcribed by https://otter.ai

Industrial Automation – It Doesn’t Have To…

Industrial Automation - It Doesn't Have To... Be Like Colonial Pipeline

Listen to this podcast on