 Hey, hello, everybody. Welcome back to this episode of Security Matters. We are not live from the studio today. We are live from the Security Next conference in New Orleans. It's been a great show. The folks here loaned me a room to do the show, and I'm excited today to not have it not having to skip a show. We have Joe Rockhow in the studio with us or not in the studio but remote with us today. And he is from 40 partners. He's a partner there. And Joe, welcome to the show. I really appreciate you joining me here for a double remote episode. It's my first time doing one of these, so we should have some fun today. Yep. We're crying out the technology. Nice. Thanks, man. I typically like, in case our viewers aren't familiar with your work, we know you from your work with PSA previously. But if you could give them some background, maybe some of your history led up to some of the work you've done with 40 partners in the work that brings us here today. Today we're going to get into some of the cyber hardening, cybersecurity around facility management a little bit later in the episode. But let's get an intro from you, sir, and thanks again for joining me. Oh, my pleasure. Thanks for having me. I've been in the software development industry for a long time. I've done about 40 commercially successful applications. Did it in the period where they were just starting to become networked and found that security, as the internet came, the security became a very big issue. And so I started the electronic crime and risk management practice for the, I guess, the predecessor of 40 and partners. And at that time it was a senior executive advisory about cybersecurity not really being a technical issue for senior management, but more of a business issue of reputation and stock value. And that that was really where the pain was going to come for businesses. Because the unique thing about cybersecurity is that people can steal your data, but you still have it. It just gets into the possession of somebody that shouldn't have it. And so you now get a question about the level of attention and confidence and negligence that might have been applied to the data. So then recently I had a security systems integrator, integration company. And at the time that we were providing physical security, we, when I acquired this company, I discovered that we were also increasing the cybersecurity. And so we quickly went and developed what we called the cybersecurity protocol that we used. And it was about 60 security controls that we use whenever we installed or service systems for our customers. And then that's moved now into what we call the never cry cyber defense with 40 and partners. And it's a much bigger service offering than it was when I was just doing it with my own integration company. And that's how I got here. Are the, what did you, most, I know there's different types of controls and most of them, you know, map back and forth from this to CSF, ISACA, Australia 25, and there's all these different frameworks. Did, how do you folks decide on the 60 you decided upon? That's a real interest to me because many, you know, the CSC top 20s out there, where did you, where did they evolve from? What was the driver there? That's a great question. Well, there are all these standards. There's CSC, there's ISO 27 one, there's about seven or eight NIST ones. So what we did is we looked at what are the common ones across all of them. And the theory was that if they're common to everyone, then everyone has to have them. And if everyone has to have them, we don't even have to do an assessment to find out. We just go and start to do it. And if we see that's already there, it's fine. If we don't, then we don't have to do it. And it saves both time and money in terms of you don't have to do the assessment first. And while we're implementing those 40 to 60, we find out what is there. We actually are conducting an unofficial assessment. And we can find, if we find really big gaping holes at that time, we can, you know, we would get them addressed. And so then when the assessment's actually done, it's pretty clean. And somebody doesn't get a whole bunch of bad news. The other thing is, out of that common set of, say 60, depending on the system you sell, and the market you serve, that you're going to have a slightly different set. So that's where it becomes maybe 40 for some people and 50 for others. If you're selling AV systems, audio-visual conference room, collaboration systems, to the office market, it's probably going to be about 40 controls. But if you're doing access control in a laboratory that has very sensitive information, it's going to probably be up there pretty high. Makes sense? I like the idea that the approach takes into assessment the risk of the, not only the material being handled, you know, the asset being protected, but the system type that's being used. I think that's forgotten a lot by people that want to apply, you know, they walk in with heavy duty, you know, NIST 853, 1700 controls. Oh my gosh, if you're not doing all this, it can't be secure. And that's just not the case. The case is really building a protection level that addresses the risk that the customer is. Because then when it's palatable, you know, to the budget, to the implementation methodology, it's probably can be affordably maintained. We've all gone in and know that, you know, hardening is a point in time, right? We've got a somehow monitor that hardens the condition to make sure some guy like me doesn't accidentally hit their own keys and, you know, change something that, you know, I didn't mean to change. There's the negligent and the haphazard operator, I'll call him, you know, for lack of a better word, there's the mischievous operator that just wants to go in and try things because he thinks he knows what he's doing, then leaves things unsecure. So that piece of it, I think so important. What's your experience with the 60 or so controls? Was that fairly easy to monitor and maintain for the clients? Well, the beauty of them are, when you look at them, they're really simple. And if you're already there doing it, it's just, it's something that just, it's like, that's what we do. It's like brushing your teeth and combing your hair. And, you know, it's just what you do. So some examples are how long does it take to turn off anonymous access to the application? Not long, once you're configuring the system. But that's a major deal because now that enables logs, the activities. And now you can track what happened to a system. Doesn't take long to change the default password. And if you check in advance with the customer and you ask them what's the convention for their passwords, then you just made it that much better for the customer and you've secured the device. Those things are really, really simple. It really adds less than a percent of the time on a project. It's not a cost factor. Yeah, we like to build those hardened conditions in the lab, right? Obviously in the pre-staging of a system, what we call face testing and we're burning in to make sure the device, you know, usually if they're going to go bad, they're a little bad out of the box in 24 hours or so. So, you know, we get past all that. We get a hardened configuration. Then we get it dropped into the facility. Then we get to run a check against it to make sure nothing's been changed. And then, you know, we have a sort of a point in time place that we can send a technician back in to periodically check if we're not running some, you know, persistent monitoring, not all the sites that are allowed persistent monitoring or want to pay for it. So, at least we've got a baseline image that we can at least check that periodically to know if the customer's made changes of his own or somehow the device has been compromised or whatever. So, I think it's super, I think it's super intelligent to build system that meets the needs of the customer as a lot of controls that probably many, many people haven't considered doing. And so, was this something that you kept internal? Was it something that you shared out to the community as a, hey, here's some best practices that we've adopted? Or was it like a competitive advantage type of tool for your group? Well, no, we did presentations at PSA Tech more than once, you know. It's a very useful way, very pragmatic for everybody because it doesn't add a lot of cost. For example, with the scenario you just described, when that system's installed, one of the items on almost every cybersecurity hygiene is synchronize that system with the network clock so that now all the logs will be able to, will be synchronized so that you can compare what happened on this system at this time and what happened on another system at another time. If it's not, you do a real disservice to the security team if that's not synchronized, but how long did it take? I know it's just a piece of everything. You just point out the NTP divide. That's a normal setting on a checklist, right? I mean, everyone has this. I've been in situations where the NTP was not turned on for anything. So I understand exactly what you're saying. It's a nightmare to understand what occurred after the fact. Let's compare contrast just for a moment, you know, the security world that we were talking about, the AV system world. And then I know you've been recently working a lot more with building and facility systems. And these are different, probably not IP network systems or sometimes a blend of IP and devices that aren't on the network at all. And I want to get into the nevercraft system. We've got a break coming up here in a couple of minutes, but give us an idea of how you switch from sort of the integration market into this the nevercraft or are you still doing this for those folks as well? Yeah, I call this. So let's see. I call the systems that are the building IoT or building systems, the junior varsity of building systems. And it's the voice over IP phone system, access control, video surveillance, the business machines like the copiers and the printers, AV conference room equipment, and the non-engineered HVAC systems. Once you get into the engineered ones, you're in the real building automation. The reason that we focus on the junior varsity of the building systems is because they're the point of attack. The Harvard Business Review and Microsoft Signals, their research group, that's two research reports came out in 2019 that said 60% of all cyber attacks start with the junior varsity of building systems. Of course, that's my paraphrasing there. And Microsoft identified the top three points of entry. Now, this is 1400 companies that they studied that were attacked by nation state attackers. And out of those 1400, the top three was the first one was voice over IP phone system. The second was video surveillance, actually the network video recorder. And the third one were the office machines that were connected. Yeah, so if you go to that first graphic, we have number one. So this shows how the point of attack is on these building systems. The attackers get their point of entry, then they sit there with a software implant and they pick up the credentials of people who log into those systems, assuming that some of those administrators with those privileged credentials have access to other systems as an administrator. So that gives them the power to move outside of these building systems and go and attack the data either for ransom purposes or to steal it, or to tax the industrial control systems or the engineered building automation systems. And the interesting point for the listeners, I think here is that on the IT side, if they go after that, they're going after pure data. If they go into the building systems area, now you're getting into an area of life and safety. There are a lot of attacks that have happened to demonstrate the ability of taking over a building, stopping elevators with people in it, destroying centrifuges that are producing either scientific or weapon-grade materials. There is no security without securing the junior varsity of building systems. Yeah, and I like your caption there, overlooked and underscured. Hey, we're about midpoint, so we're going to take a break for a minute, pay some bills. We'll be right back in one minute with Joe Rakau. Aloha. My name is Mark Shklav. I am the host of Think Tech Hawaii's Law Across the Sea program. Being a lawyer has many aspects, and I try to cover them every time I do a program, blah across the sea. Not everything has to do with law or being a lawyer per se. Some of it has to do with the people you meet, the things you see, the places you visit, and that's what I try to combine in Think Tech Hawaii's Law Across the Sea. Thank you for watching. Aloha. Aloha. I'm Keisha King, host of Crossroads in Learning on Think Tech Hawaii. On Crossroads in Learning, our guests and I discuss all aspects of education here in Hawaii and throughout the country. You can join us for stimulating conversations to enrich, enliven, and educate. We are streamed live on Think Tech bi-weekly at 4 p.m. on Mondays. Thanks so much for watching our show. We look forward to seeing you then. Aloha. Hey, Aloha, and welcome back to Security Matters. I'm with Joe Rakau, and we are talking about Never Cry. Joe, take us into, I guess, the next slide. Let's talk about that chasm that exists back there, and then walk us through some of these, the reparations that you've got. I think you've got a few slides for us. I do. It's fun stuff. Okay, so what we have here is what we call the Backdoor Canyon. And its IT department is on one side of the canyon, and the building systems in IC are on the other. And so we talked about how you can't hear your buildings or your IT. You can't hear your ID data or your building without securing the building systems. And the reason for that is that building systems have been designed in a way that they can't be communicated with by IT's standard everyday tool for monitoring what's the version of the firmware on the system, who's logging in, who has access, preventing people from having access, updating the firmware, what's going on with the memory on these devices. They can't see it. And so they can't help. And so the people, facilities, management, and the supplier of building systems have to be the ones that secure the device at certainly at the device level when they install it. But that was almost impossible to do until 2019. Several really, really terrific things happened in 2019 that now make it possible. You want to go to slide 4? Yeah, let's have good news. That's awesome. Good news from 2019. I love it. Yes, that's right. These things all power things in a way that couldn't happen before. Some of it is awareness and some of it is actual software tools and technology. So we want to go to slide 4. Okay. So what happened in early in around June of 2019 was first we understood that a majority of attacks were coming through the building systems and both Microsoft and Harvard Business Review reported that and made that public with solid research and of course, high profile credentials. Then NIST came out with guidance on how to handle IoT systems, devices. Now, some of these are building IoT and some of them are just other IoT. But what they said that made it so important and empowering in some ways is they said, we can't give you a standard. These devices have so many things that require special consideration and manual configuration that we just, we can't tell you what to do. We can't say do this. All we can say is you got to consider this and you got to configure if you got systems with these parameters, you've got to configure this. So that sets off a whole different thing when people can't just lean on a framework that's already provided for them. So the idea of the never cry cyber defense for building systems. So you've got building systems that are the majority causing a majority of the presence by unauthorized people. And you know that you have to figure out and in the situation what controls need to be applied. And so that's the service of the never cry. Is it never cry has gone through the 60 controls that every cybersecurity framework requires and gets all the ones that are required by those and then applies the considerations that NIST identified to say, well, if you sell a voice over IP phone system in an office environment, then these are the security controls you probably ought to get pretty good at installing with your systems. And if you do video surveillance in a like a football stadium, the knees are probably things you ought to be looking at. So we do the configurations and provide the guidance and train the technicians so that they know how to do it, train the salespeople to help them avoid getting into conversations about cybersecurity because all they have to do is know their hygiene. And so the customer say, well, what are you doing in this situation? Well, you know, I'll tell you, this is what we do every time we go through and we do this and we do this and we do this. And the salesperson can feel confident that they're not losing control of the conversation and they're giving valid information. The really exciting stuff. You don't want them to get creative with their get creative with the I think we're doing that let me get back to you. That's never good, right? You really want a nice solid answer when you're talking about hygiene. If they're hygiene, you can count on it. It's like, you know, I wash my hand. Perfect. Okay, so that's securing. That's the first layer of security. Remember, everybody talks about having multiple layers of security. You can't just have one. So that's the first layer at the device level. And what's unique here is that it's the supplier who knows the cameras, knows the encoders that are used, knows the manufacturers that are at various stages of updating their firmware. And they're the people that have to do it at the device layer. You can't expect it to do it. You can't expect the facilities management staff to do it. It has to be done by the building suppliers. And the end user and has every right to expect that. So it's a nice handshake there. Okay, what really happened in 2019 that was the next layer of security. And that's the network layer. Remember, these devices do not interoperate with standard IT tools and technology. So we need to do some special things in order to be able to secure them on a network. And one of the really nice things is a software defined network technology is available where you can go and identify all of the devices, all the the junior varsity building system devices that are on your network. And you can identify them by their addresses and then create a file and then that can become a firewall so that the only way that they can get that those devices can be accessed is through whatever port you're creating with your software defined network, which is typically only one. And then you manage that port and now you've got two layers of really good security. Okay, now there's a little bit of overhead with the software defined network that is a kind of like a total cost of ownership issue that a lot of companies that if they're pretty, you know, they look at it in detail, they're and the finance group gets involved. They'll say maybe that's not the best solution. Then there's a software defined perimeter, which is a really, really slick solution that cloaks the identity portion of the IP address so that an unauthorized person can't even see that that device exists. And of course, there's an encryption process there. And so people who have the key can see that device. And the beauty of that technology is that you can move devices on and off the network and you don't have to do anything, you don't have to report back to anybody. So that eliminates that total cost of ownership. And the third thing with this that's really important for IoT devices is sensors. If you think about it, almost every IoT device is essentially a sensor who presented their card at the door, who walked in the door in the hallway and there's a video surveillance, who's talking to me on their line on the telephone, they're all sensors. And there's very, it's very difficult to control when the sensor itself is compromised. And that the signals that are going into the sensor are the same signal that's coming out, manage and adapt it according to whatever protocols are in there. So there's a comparison. There's a device out there that will compare the signal in, make the adjustment for whatever protocols and processes are done inside that sensor and confirm that the signal coming out has integrity and is the right signal. And that's a really, really important part. Yeah, it's like setting a signal parity. So I love this, we got software defined network, we've got a software defined perimeter and then we've got like device parity going on inside this, inside this building. That's a lot of security that people don't hear about. I'm glad you've taken this, this sort of a rescue net out to the people in the world. So because it's never too late for them to start getting better. We're about at the end of our time. Would you like to add a final comment for our audience out there that may be watching, maybe how to get a hold of you? Well, yeah, so you can get a hold of me through 40 and partners. So it's 40andpartners.com. But I do want to mention that facility managers now have the opportunity to retain technical leadership to help them assume the responsibility and execute well with the security responsibilities of the devices, especially since now they really can't rely on IT to help them. That's probably a pretty important message, I think. And you were talking about earlier. Yeah, exactly. Well, thank you for joining us today. Facility managers, you get a hold of 40 and partners and get yourself some help. That's all we got this week for you. We'll be back next week on security matters. Thanks again for joining us. Aloha, Joe. Aloha, audience. Aloha.