 Well, good afternoon. I welcome to Hawaii the state of clean energy. I'm Ray Starling, your host, and Jay couldn't be with us today because of conflict, but he will be with us in spirit. We do have a very interesting show, and not just because Jay's not here, but it's all about security. We miss you, Jay. It's all about security with a focus on cybersecurity and some of the vulnerabilities that can happen to our clean energy grid as it grows and expands in the digital age. My guest today is an expert, Andrew Lanning. He's vice president at Integrated Securities Technologies, a Hawaii-based business that Andrew co-founded back in 1998 with his wife, who is still associated with it. So Andrew, you've got quite a resume. I'm just going to read just a few nice things about you so people kind of get an idea. You're all about security and cybersecurity. You started back in 1982. You know, Kobal and Fortran, some guys have been old as me before they remember that. But you also served in the Navy back during the Persian Gulf War. That's how I got to Hawaii. You were missile technician, and that's kind of where you got your start. I'm not going to go through all of this, but basically you're on multiple committees and networks where you participate in moving information back and forth about cybersecurity. And you've got a degree, started out in psychology at UH, and you've got a master's in communication. You've got communications from Hawaii Pacific University. And welcome to the show, we're very happy to have you here today. So before we get into the topic of technology related to cyber and things that can go bang in the night, can you tell us a little bit about your company? What does it do? So in Hawaii you're to do electronic security systems, you're a contractor. So we're a contracting firm. You can think of us as an electrical contractor, but we specialize in low-voltage systems. So we're installing pipe and cabling and getting all the infrastructure put in. And then we're installing all that equipment on the walls, be it cameras or access control card readers, intercoms, intrusion detection systems. Then all that stuff today has a server and software and client side applications that have to be configured. And then you do the training for the end user and teach them how to manage it and get the reports out of it and deal with the system. So we're kind of nuts and bolts. To say we're electrical contractors only leaves it a little thin because we've got a lot of IT types and database types and application guys in our company as well. So we're a pretty IT savvy little group. Electronic security has become that piece of the industry today. Well we thought this would be a good combination with you and me. You know a lot about cybersecurity and I know just enough about the energy world to know that things are going nuts in the energy world now and cybersecurity is becoming much more important than it ever has before to the grid that we're all connected to. So before we get into those kinds of questions though, can you give us some general ideas about the just regular joes out there that have connections to the grid or to the internet rather that they might keep in mind whether it's a business or an individual to try to minimize the vulnerabilities that are inherent in just connecting to a bunch of other people out there. Yeah. So we talk about that threat surface, you know that vulnerability surface right and all the devices that you have that connect to the internet are talking to something. They all have a MAC address, they all have an IP address, they all have a suite of protocols that they talk with right. So all these devices when you connect it, there's actually 65,000 plus ports on that IP address right and so you might use one of them port 25 for SMTP, simple mail transfer protocol to do email with for example. You might be doing a file transfer over FTP which is another port or Telnet. So when you connect with a browser to a device to maybe view its configuration settings, everyone's probably set up a router at home or installed some sort of a device where they had to first you know bring it online and they use a browser on port 80 and that browser is an HTTP port connection right so that's connected to port 80. So there's a lot of these system ports, the first 1056 of them I think are system ports and there's user ports and ports for many, many things. So you know people I don't think are aware that there's so much open ports available for vulnerabilities to be present on. So that's a port in your computer or your server? It's a port on the actual IP address itself so every IP address just you know when you have a device that acquires an IP address this is the protocols that these things talk with, protocols run over those ports. Okay. Yeah. Alright so what should an individual do to try to protect himself, what's the simplest way you can try to prevent something bad from happening to your own system within your residence I'd say? Yeah so the residential, the consumer, you know the average consumer I think is hamstrung with understanding a lot of this technology so you know if you really don't know what you're doing at all you need to get some help first of all. But if you've got a little bit of savvy and you want to understand you can get tools that are free like ZenMap for example you can run ZenMap from behind your firewall and that'll scan your network for you and give you a report of all the devices that are attached you may not even know that your light bulbs are talking to your internet or whatever it may be if you're not aware of all the stuff that's been installed you know if you have maybe wireless thermostats and your HVAC guy installed them and you don't really know that they're there. Typically these devices, some of these tools will also report the BERT firmware version so you can go out and check the manufacturer's website to make sure you have the latest firmware version, maybe you need to upgrade that firmware and please you know a lot of consumers don't even get a router right and they think that the like their Time Warner cable modem is a router protecting them and often times none of that stuff is enabled or it's all just defaulted so you really need to get your own firewall put in and understand you know how to manage that firewall so that everything's closed except the things that you want to be working. Now is that something that most people would likely be able to do or not be able to do? I think if you follow the manual the trick is to not accept that you know make sure you follow the guy don't just get it working and stop make sure everything that you don't need working is turned off and that's a critical step that a lot of the consumer grade equipment just doesn't run you through it's designed more for easy plug-and-play you've heard of a of a tool called universal plug-and-play a lot of these devices have well just because you got it working doesn't mean it's secure it may have been opened like I said maybe by default FTP is open a lot of a lot of manufacturers have ports open that are like first so that they could remotely service a device without having to come to your location to do that and so by default there may be a hardwired default password on that port that they can access and that may be able to be known by simply you know searching on the internet for you know default password for links this router or for example so that kind of stuff has to definitely be locked down you know for sure at the consumer in the small business in the business medium-sized business you know we see this across the spectrum all the way up to the enterprise guys who have an IT department they're working on it as best they can as much resources as they've been given but right below the enterprise the problems are a rampant the vulnerabilities are out there so if you did have a small business and you wanted to protect yourself and you didn't feel like you knew enough about all of the things we've talked about that's for sure would you would you likely just hire a firm like yours or somebody out there to come in and sort of check it out and fix whatever is risky yeah so we're we're an electronic security firm so we're not I really try not to I really try to steer clear of the IT which is all the workstations and servers and switches and routers we know about that but I definitely could give people references there are a ton of great small businesses in Hawaii that sort of specialize in that area and they can get you some help and business owners for sure should be doing these types of assessments you know if your businesses the the sort of trend in businesses today is that the regulated industries that being critical infrastructure which I know we're going to talk about health care fight the financial sector all of these guys and now their supply chains that are bringing stuff to them maybe you're just there their HVAC guy or maybe you're their POS vendor that's your point of sale systems or maybe your electronic security vendor like I am we're starting to get the same sort of regulations that they're held to push down on us by them you know in their contracting verbiage so it isn't regulatory it's just that they want their supply chain to be as secure as they are and that's a fair thing so if you know if you're in business probably you're going to see some of that coming at you if you service any of the regular any of the regulated industries for sure okay let's let's go from regular business and residential situations to the grid sure and and from my perspective the grid is growing it's used to be just the utility it owned the grid it did everything on the grid it was the one that that made the electricity sent it to the customers okay and they started allowing independent generators to come on and those were usually in the early days were big systems that were contracted to sell their power to the grid but the utility still had full control of it now we're getting into a situation where a lot of people have PV on their roughs and a lot of people are actually generating power at sometimes they push it out on to the grid and sometimes they there's no when the sun's not shining they they take it from the grid and that begins to make a lot more complexity to the grid it was already pretty complex but now you've got multiple parties on the grid that are needing to talk to one another in some form or fashion or get signals or this this may not this may not be what's happening right this moment but it will be happening as people give sometimes and take other times that's going to be part of the grid that has to be secured cybersecurity because it like for load balancing yes load balancing and some of it's going to be automated some of it's going to be worked by a third party but there'll be many more entities plugged in and pushing stuff on to the system or taking it off at will and that becomes a big problem because and I don't even know how big the problem is I'm asking you to sort of give us your idea about what needs to be done on the grid scale to help protect the grid from nefarious people doing things on the grid that they shouldn't be well I mean we saw the attack out West right there was a physical attack obviously right guys tried to take down the substation right that's firing at it right so there's the if we remove if we say okay well we know it's you know we can't move we can't move it it's not mobile so you know it's can come under physical attack and we'll just leave that as is so outside of physically attacking those those facilities right because I'm just guessing we're going to take down the grid we're talking about sort of like destabilizing it by taking a substation offline you know in a big way right but the the smaller guys for example if I've got a device a load a load management device that's talking ostensibly to another load management device across the island it must it's either using internet or some kind of wireless protocol right so those types of devices are the same similar to devices that we have in the electronic security system industry where they all have a that web interface I was talking about that HTTP port or that HTTPS port and I do sit on underwriter labs is currently working on a new specification for the industrial control systems as well they're they're embedded you know little Linux web engine has the same problems as many of the other ones do especially some of the older ones so they don't even run encryption on that connection so it's very easy to brute-force attack it and sort of take it over and the future I think we'll we'll see those devices currently I think most of the utilities are working to sort of firewall that stuff and they need to know about it right they've got inventories of it but you know I don't think we can just let it open up and talk right because it's got to be monitored today now the newer ones where we can get some encryption probably a little bit less let's hold it thought for right now okay take a break and come back and yes and move along all right thank you aloha Howard wig I am the proud host of cold green think tech away I appear every other Monday at three in the afternoon do not tune in in the morning my topic is energy efficiency it sounds dry as heck but it's not we're paying five billion dollars a year for imported oil my job is to shave that shave that shave that down in homes and buildings while delivering better comfort better light better air conditioning better everything so if you're interested in your future you'd better tune in to me three o'clock every other Monday cold green aloha and thank you very much okay we're back and we've got a great show for you today with Andrew Lanning who's with integrated security technologies and he's we've been talking about we've sort of been moving up the scale from individual users of the internet and the cybersecurity that's necessary there but we've gotten gone to the the big grid that the power system uses to move power around and it's getting bigger and it's getting a lot more players involved and we were starting to talk about sort of how do we think through trying to protect that grid against cyber attacks because that those can take down the entire grid and that that's certainly a possibility anytime but as we grow and more people are are connecting to the grid and pushing power to the grid or taking it back depending on whether the sunshine in their PV is working that is going to be the big problem for us going forward a problem for the utility and ultimately problem for all the customers so we were talking about sort of how we go about that or how you would expect the the utility systems to to plan for that and help to to defend against it so we've got what we've got is people who are new to this whole thing they're becoming engaged and they're connecting and what vulnerabilities could they bring on to the system because they're having to talk and and through their smart meters talk to the utility and or talk to somebody to let let the grid know what's happening at their individual station where they're taking power or giving power so do you have any thoughts about that I know that's not nobody knows very much about it now I mean it's a growing industry but do you have any thoughts about sort of how where you would start if you were trying to fix the but the potential problem sure so the what I what I what I saw with the underwriter labs has taken this on as well underwriter laboratories you know they they have a stamp for like your fire systems and things so they've definitely taken an interest in this and the the industrial control systems is a special subsection of the series 2900 that they're working on so you know the idea that the firmware in those devices isn't been well tested and could be thwarted right with them you've probably heard of certain thing buffer overflows and different types of attacks that can be run just against the firmware so the first thing was to get those manufacturers to start running their firmware through the same type of processes that guys like Cisco and Microsoft and the rest of the IT world have done for a long long time so that that standard is being written I'd say it's a few years from being published and then probably we're another year or two beyond that before we get equipment that's been put through that process and can be have a have a layer of cyber assurance that you know when the when the installer gets it or when the company gets it they can know that it's got all these assurances that an test that have been run against it right so we're lacking that today probably in the stuff that's out there and so the the level of vulnerabilities is probably is open to the mind you know to just the whim of an attacker you know his desire to want to thwart something you know if you can find out what type of a piece of equipment was used and you know unfortunately there's a habit of contractors architects all this these design specs all just float around for bidding purposes right so it really wouldn't be hard to find out what type of a piece of equipment down to this specific part number is installed here for perhaps monitoring an endpoint or a load bouncing type piece of gear so then you just can go procure one and figure out how to attack it right and so you know just at home before you you know ever go ever go to actually run a real attack against it so there's there's that kind of stuff and there's there are guys you know that are employed by utilities and some of those manufacturing many cases that are working on this stuff too so they get paid whitehead hackers get paid to find those vulnerabilities as well and they get paid by the manufacturer to find them before the bad guys do the whiteheads or the ones the whiteheads are the good guys sure used to be the bad guys maybe the bigger concern that we have with with utilities and it's so if if I find something the last thing I'm going to really do is just go break a utility why would I do that what I'm going to do is try to get my malware spread out into as many utilities as I can now I've got a valuable tool if I could take down the east coast the west coast or Hawaii or whatever it may be from in the hackers speak now I've got something I can sell doesn't mean you get to take down my power but what's the point of that but so money for but someone may want that capability so that's what I'm going to do is sell that capability to them and you know you can just auction it off you know you typically need to do a little proof of concept for him but that's all the buying and selling of this capability is sort of what what we what we have today and in the block on the black market you know like where we I mean not that I would ever go there but where would you go what dark leagues or there's there's a ton of sites here I can yeah you can buy tons of attacks tons of attack tools you can buy whole kits that have all the known attacks against anything you want you can get Cali Linux for free a lot of this stuff so you can head for free a lot of you can lease there's like leasing models for for a DDoS attack for example and do you want to do it for 30 seconds or do you want to do it by a DDoS a denial of service attack okay yeah so like if I say I just want to make sure you couldn't get any energy in your neighborhood maybe you know I could maybe take that stuff take an area down for a while right just just as an example it's more done against like websites and web services and things like that where they they slam it with so much data that no one else can get to it so it's a denial of the service so imagine if I take your bank you know your banking service offline or something like that but you know all of these things are are available to people that are just willing to work on it to make money there's a ton of money in this type of crime and that you know that's a problem now let's say you're a business owner or you know CEO somewhere that wanted to just keep up kind of with what's going on just kind of they don't want to dig into it deeply but they'd like to kind of watch what's going on is there website or is there a government agency or or perhaps a magazine that sits pretty good about those kinds of things yeah I mean I would I would tell anybody definitely to follow a guy like Brian Krebs who blogs he was a journalist that got hacked and he got he's gotten very deeply into the world of hacking and so he takes really some some sinister things and really explains it in layman terms CEOs I think have more concerns than than that though they're got to be concerned about their own enterprise so they should be concerned about the NIST the National Institute for Standards and Technology so NIST publishes a ton of great information on things that the business owner should be doing inside the business and the CEO hopefully has a CIO and a CISO and some people giving this guidance so he can ask the board for more money and you know all those sorts of things so but there's you know Brian's that Brian Krebs is a great start Cisco the Taylor's group publishes threat briefs and weekly updates on all kind of the stuff that's happened out there in the world that they see Cisco obviously sees traffic from on a global scale so they see all the threats and threat actors and they know where malicious things are emanating from right so they report on all that kind of activity on a weekly basis Taylor's TALOS the Taylor's groups really good okay well we sort of moved around but but we're still back at the at the utility grid which is is going to continue to be a challenge I think for the utility and also the ratepayers in many different ways but you know one of the things that we haven't talked about was sort of what kind of damage you could do by penetrating by finding out people's passwords and by getting tricking people to click on to a site that that takes the intruder right into their computer do you have any thoughts about that that you might give to our audience that yeah so it's the number one tool of hackers so everyone really thinks it's all these technical controls right but the technical controls are things we can actually fix so like we talked about firewalling and monitoring so we can really and all those ports you know that are open we can actually technically lock that stuff down but what I can't lock down is the guy who calls you up and says man I got you got to go look at this right away this is your you sent something I'm your IT guy and you need to go check on this link I just sent you and then you click it boom now if you just go to an email is there any way that they they that they can just buy not not clicking on anything in the email but just clicking the email to look at it is is there something that they could do to actually get you going down the road so to speak so you giving up definitely once your email run through some services that look at that like so Cisco has umbrella there's there's there's a lot of tools that are in place today and a lot of Google you know office you know Microsoft a lot of them are running a lot of these filters against that so you're not even seeing it it's getting skimmed off before it gets to you but there are so if you have like auto preview turned on for example right and you've got you get an image today you can embed code into a picture or a movie so if you look if you have auto preview running and that image is displayed then yeah they could run code so you got to be careful you're if you're running some decent antivirus you know software there you should you should be okay I'm a fan of the machine learning stuff that's out there today most of semantics now edit some machine learning you know it was all signature based previously so you know they had to know about the exploit to look for it right so zero these signs right so these zero-day things weren't getting caught but today with the machine learning that's been added to a lot of the tools we can look at we can look deeper at those things that are just re-bundled and re-bundled you know you can look at eight or ten iterations deep to see if something is true is truly a malicious or not okay in an email well you know we're coming back to the end of happens quick you know I really want to thank you for being with us today Andrew Lanning co-founder of integrated security technologies that is all the time we have today and thanks to all of you for joining us today please come back and see us we're on Wednesday afternoons at four o'clock so come see us then and we'll see you next Wednesday next