 Bingo, four o'clock rock here on our flagship program, Hawaii the State of Clean Energy, which comes to you by virtue of the Hawaii Energy Policy Forum. And my co-host for this show, Derek Sonora, I never told you that before. And Matt Chapman is our special guest. And he is at the University of Hawaii West, Oahu in Information Technology and Cyber Security. Matt, welcome to the show. Yeah, thank you. I really appreciate it. Thank you, Derek. And thank you, Jeff. We are going to take all your knowledge from you today. Fantastic. Shouldn't take too long. Give us some background. Where do you, where do you, where'd you get this knowledge? Okay. So I'm a retired Army officer. I did 24 really exciting years in Army. Very honored to be able to serve in the military. It was terrific. I enjoyed almost every moment of it, right? Wow. Nice to see something, yeah. Exciting things and, of course, some difficult places and times. So I retired in 2014. The last three years of my military service, I ran cyber operations for Pacific Command. I was the chief operations for the cyber center there, right here at Camp Smith. After a few tours in 25th, I moved out there. When I retired, I had the opportunity to take over the cyber programs at the University of Hawaii West, Oahu. So I was excited to do that. Get a chance to train the next generation of cyber professionals. You're an important guy now. We need to train the next generation. There's some really smart kids out there, so I'm really excited. So you had a successful career in this, in this area. What do you bring? I mean, what did you bring to the table? What special skills or orientation did you have to make you successful in this? So it's a few things. Of course, there's the fundamental knowledge that you need to get. So all of my degrees in school were computer science. It's really into the fundamentals of programming, networking, and the Ph.D. here at Manoa. Great program. Operating systems, databases, software development, so all of those fundamental skills, I had the opportunity to teach for a couple years at West Point. Computer science there and really how does it fold into the military and fold into national defense. And then, of course, through the military progression, you get the chance to work with regional partners, international partners. So when you fold all of that together and then include the information technology perspective because over time, we've been worried about control of land, we've had armies and such like that, other domains of the sea, the air, the space, but now we've got this amazing complex domain which is cyberspace. So how do we ensure that our information is communicated, as intended, protected from malicious actors and really to keep the country safe? Just to put it in perspective, though, you know, you study computer science, you know about databases, you know about connectivity, but that's not enough for cyber security. That's right. Cyber security is in a secret realm somewhere and it requires much more than ordinary, say, business transaction type software experience, right? Can you describe that realm? What kind of a realm is that? Yeah, so a lot of that, again, is from experience and we can talk a little bit about the network infrastructure. So after the fundamentals... If you can't talk about it, just tell me. Sure, sure. I will understand. So you said some of this resolves in the secret realm, right? Of course, in the government, things are highly classified really fast, right? But if you're the Bank of Hawaii, you're a Hawaiian electric or something like that, this is very important information to you and the information sharing is critical. The way that networks are designed, the way that the hardware evolves, the software evolves, the processes that we use to protect our information, whether our data is generally in three states, whether our data is at rest on a hard drive somewhere, how do we protect it? When our data is in transit between different locations, how do we protect it? And then when a lot of people don't think about it is when the data is in the CPU, right in the central processing unit, in memory, I've got another state. So it turns into how do I protect my information on all these states, but I can't only get focused on the computer software, the computer hardware and the bits flying back and forth. I've got physical security concerns, there's laws, policies and mandates that have to be followed, and of course the user training is significant, which we can talk about. Is it hard to be a hacker? You know, one time, I tell you, one time I went on the web and I did a Google on hacking and lo and behold, in five minutes' time, I found hacking programs, open source hacking programs that were apparently very popular, and you can download them for free anywhere in the world and they will hack into this, that and the other thing. I mean, is it hard to be a skilled hacker? It depends on your level of skill. So one of the first things you need to do, whether you're concerned with the protection of critical infrastructure, your personal information, whatever it is, is try to determine what's the threat against your networks, right? There's highly skilled adversaries, malicious actors at the nation-state level where they have enormous resources, enormous budget, enormous time and enormous talent with highly skilled malicious actors. You'd be one notch down, you'd be concerned with political activists, people that are trying to push their ideology, whether it's terrorists that are trying to disrupt systems or hack activists, you may have an anonymous and some of these things. Again, the skill level is pretty significant. If I move over to business actors, whether it's a business partner or organized crime, which is maybe some of the most skilled hackers, because there's a lot of money in the market, right? And they can be hired by some of these nation-state actors to conduct malicious activity. So there's this realm of highly skilled, highly practiced malicious actors. You're not going to be able to download hacking programs from the internet to do that? Perhaps sometimes you can. And then it goes down levels from there, because when you look at just maybe some business competitors, anytime I'm in a business or I'm trying to transmit a service, right? I have partners, I have customers, suppliers. There's so many networks that are interconnected that you really also have to be concerned about the security of those networks, too. One thing I get over the past few years is that we've seen a change in this. It was the kid at first, maybe 10, 15 years ago, playing. Now it's state actors. And the state actors like Putin, we were talking about, have amassed huge armies, in China, too, huge armies of cyber criminals who can hack anything, including, for example, Sony Corporation or any target they like. Sometimes not just criminals, but also parts of their military forces. Yes. It's everywhere. It's ubiquitous. And one of the things that, you know, so it's those guys are real serious. Those guys are at the top of the food chain in terms of hacking and having an effect. And that means essentially cyber war. And you know, we talked before about the interesting concept that we may be at cyber war now, but we're at a war of deterrence. Because we know that if we try any real big tricks, the other guy's going to unleash his force on us, so everybody sort of doesn't cross a certain line. But you know, one thing that comes out is that if you want to do cyber war, if you want to do hacking at a high level, the one thing where you can disable your enemy immediately is energy. Yes. So Dr. Chairman, how high or bright of a target is the energy world? So going back maybe a month after 9-11, President Bush issued an executive order, 12-3-21, that talked about the importance of critical infrastructure protection in the information age. We quickly learned as a nation and the federal government at the same time that we've got to be concerned about terrorist attacks in the United States. Now most of our critical infrastructure is highly connected. Jump forward to 2013, February, President Obama put out both an executive order and a presidential policy directive on critical infrastructure security and also critical infrastructure security focused on the cybersecurity of it. So presidential policy directive 21 outlines 16 critical sectors and assigns responsibility to different government agencies across the board for those particular critical sectors. So you can imagine what some of those are, chemical, nuclear, energy which includes our electrical grid, agriculture, water, emergency services, health. The disruption or really destruction of any of these critical sectors is going to bring unstability to the country, maybe unstability to the financial aspects of the country, health and human services. Sarah, do you want to follow up on that? I do. So when we talk about safety of the grid, especially here in Hawaii, where can the attacks happen? Is it at the equipment level? Is it at the software level? I remember way back after, you know, we did the whole 2000 thing, you know, we're all talking about when the computers hit the zeroes, everything will start to come down. Nobody wanted to be in the air. And everybody was worried about the electricity coming off and, you know, there was a big announcement said, don't worry, your bills will be fine. And everybody went, wait, we're talking about energy. So how, where is it? What are we concerned about here? Because I understand you protect your computer systems and that's personal information and all those things, control systems. But what about the other layers of it? There is so much electronics everywhere, especially in the grid. What do we got to look at? So you might not like the answer. Uh-oh. All of those places. All of those places. At the most lower level, we have the field devices, right? So the field devices are going to talk to the programmable logic controllers or whatever that hardware is that it speaks to. What's interesting, at least from an academic perspective, is as you go through academia, you learn certain languages of the Internet. You know, it's TCP, IP, protocol, stuff like that. When I get down to these lower level field devices, they're different languages. They're different protocols that generally students aren't taught. So we're moving into this realm because the first layer I have to worry about is those, the communications between the field devices, whether it's a mod brush protocol, a DMP3 protocol or something like that. So I have to worry about that. Generally, you have to connect into these things, which means physical security. You can never underestimate the importance of physical security because someone can get access to these field devices. These are going to communicate the layer up, right, as you know, to the human machine interface devices, HMI devices, sometimes supervisory control panels. So if I go to change the temperature of my air conditioner, right, I walk to the wall, I click a button, it's my interface to it, but there's some communications that's going to control the device. From that station, if I'm talking about electrical grid or transmission, right, I have distribution, transmission, production, all of these other areas, eventually that will touch some of these protocols we're more familiar with. So there's, of course, another avenue that a malicious actor could use is through these business networks, the protocols that we know, looking for connections to these remote terminal units, these programmable logic controllers, the intelligent devices, because now we stick ethernet connections on there, right. So we want to be able to see it on a supervisory panel. Sometimes we need to because we want to be able to shut it off if there's an overload or something like that. But that means that we've connected these field devices to the business networks and, of course, added other vulnerabilities to it. So we have the field devices, physical security concerns, the technical pathways between different networks, the overlapping of protocols. So it's very important the segmentation of all of these networks, right. There's commands that shouldn't exist at different layers of security, people that shouldn't exist in locations. We were talking earlier about the UPS delivery guy that wasn't the UPS delivery guy. So unfortunately, the answer is all of the levels, especially as we get to the distributed systems, because if we want smart grids, it means sensors. Sensors mean more avenues, so it gets really complicated quickly. Suppose I get off the grid completely. I mean, there are not many. There's only a handful of people in this state who've actually gone that distance. Most of them, I think, are in remote areas on the big island, I think. But suppose I get off the grid completely. I have solar panels, and I have storage at home. And I'm not connected at all. Am I completely out of the woods? Unfortunately, never completely out of the woods, right? Because, again, there's the physical issue. And of course, if I laid out the rest of those 16 sectors, healthcare, emergency services, right? We need all of those other things that make our country. One cannot live by energy alone. Right. You heard it here. But it'll certainly reduce the attack surface if you completely disconnect yourself. But there's been many successful attacks that are not internet-connected, because they find a way to jump that air gap. We don't want you to worry too much. No, no, no. We want you to worry a little bit. Sorry, friends. So let's take one minute off and stop worrying for a minute. When we come back, we're going to find out how we, collectively and individually, can protect ourselves against this kind of attack on energy here in Hawai'ine. We'll be right back. Hey, has your signal just been taken over, or am I supposed to be here? This is Andrew, the security guy, your co-host on Hibachi Talk. Please join us every Friday on Think Tech Hawai'i. Hi, this is Jane Sugimura. I'm the co-host for Kondo Insider. And we're on Think Tech Hawai'i every Thursday at 3 o'clock. And we're here to talk about condominium living and issues that affect condominium residents and owners. And I hope you'll join us every week on Thursday. Aloha. Aloha. My name is Joe Kent. And I'm the vice president of research at the Grassroot Institute of Hawai'i. The Grassroot Institute is a public policy think tank. And we try to build a better economy in Hawai'i. And you can see us on the TV show Ehana Kako on the Think Tech Hawai'i Broadcasting Network every Monday at 2 o'clock. We'll see you there. And let's build a better Hawai'i together. Aloha. Bingo. We're back with Derek Sanota, my co-host. And Matt Chapman, University of Hawai'i West Oahu, an expert in information technology and cybersecurity. We're talking about Hawai'i's vulnerability and the rest of the world, too, to attacks of the energy system directly or indirectly. So you were talking during the break. You know, I'm sorry, you got to do it again. You weren't here during the break. You guys missed the best conversations. You would have heard good stuff. So why don't you replay the break? Last week we had the whole conversation about residents and what information they could lose. But Dr. Chapman brought up a good point. If you have physical access to a device, you could plant something malicious. And there's a lot of opportunity when smart meters get deployed everywhere at commercial facilities at residence. For some person who is very intuitive, very ingenious to plant something malicious, can that malicious file, so to speak, the digital image of it, be transmitted back as a feedback to the utility and do some damage? And that's what I was just kind of wondering, because let's say that was possible. Could they create a scenario around the islands where they create disruptions of services? And could that be significant enough to draw enough attention away from where the real damage is targeted? And like the military, for example. You're really thinking like a hacker, Derek. Well, I hang around with you quite a lot. Yes, so. And growing in my inquisitiveness. Yeah, you're going to get some job offers. But you know, that's a simple thing, because a smart grid, by definition, is the two-way communication. That's right, yeah. Yeah, so I'm just kind of wondering. So is that real? Is that a question, man? Yeah, so I'll take it to bank robbery, right? If you're someone that's considering robbing a bank, there's different avenues into it. Right? There's windows, doors. And you want to reduce as many of these vulnerabilities as you can. Put that to the smart meter. I have all of these sensors. Every time I introduce another device that has two-way communications, that's another device that I have to be concerned about, because it's a new avenue. There's ways to mitigate it, because sometimes you have to introduce that, right? If I have a web server, I can't turn down the port that speaks to the web server. It won't work. Right? My email, the same thing. So with the electronic sensors in the distribution, the two-way communications have to happen to enable the smart grid. So what do you do? You try to reduce these and mitigate these vulnerabilities as much as possible. Physical security we mentioned quickly, encryption of traffic in route, of traffic on the device and traffic in memory definitely has to be considered what to do with those. And not only someone implanting the information, but some malicious actors are just interested in gathering the information. If I know what your energy usage is, there's a building that energy uses peaks at a particular time, right, and then something happens after that, I know that every time the energy peaks, you're burning the midnight oil for three days in a row, you're doing something big. Right? So just the information of how much electricity I'm using, what is it pulling from, could be valuable information. Of course, I can stand outside my house and watch for the light. They could just follow you. Well, you know, the thing about it is that we talk about cybersecurity. This is cybersecurity month on think tech energy. And there is vulnerabilities, vulnerability in everything we do. You've sufficiently established that. At the generation level, you know, at the distribution level, and even at the home level, and even at the guy who's off the grid level, okay? Right. And that's your personal information at home. It's generally the same concept. Yeah. But is Norton enough, what do I have to do here? Is there somebody watching out for me to protect me now? Maybe from the United States government, maybe from the state, maybe, who knows what? Is there somebody watching out for me or do I have to watch out for myself? And if I have to watch out for myself, what exactly do I do? So I can give a, I'll go over a few principles in general. Definitely need to always be concerned. Just as you would your physical security, as you crossing the street or something like that, you got to be concerned with your information. So you do have to watch out for yourself. For my organization, I need to watch out for my organization. If I work for the country, I have to look out for that. So we'll start with the most simple. Everyone talks about the passwords, right? So much is dependent on our passwords, whether it's our phones, how many, how many things can you access on your password? So password control is of course significant, complex passwords and non-reuse. So if I go into Facebook or I go into my bank account, hopefully my bank account is much more difficult than the password to get. Oh, shucks. I got to change my... I'm going to take a short break and change the password. And also some multi-level authentication. So the password shouldn't be enough. So now when I go to ATM, there's something I know, my password, and there's something I have, it's my card. Sometimes when I get into secure systems, it may be fingerprint, retina scan, right? So the authentication becomes critical. And as we introduce Internet of Things devices, smart TV. My smart TV is on my router. Some people have coffee pots on the router. All of these are computers that sometimes you're not going to patch your TV. Actually, my TV does patch itself sometimes. You're not going to patch your coffee pot, but those may get access into the network that may eventually get into your financial information that may be able to transition down to these field devices. So is the government helping me out on this? The United States government has enormous resources. I remember that in the case of the Stuxnet virus, which was a tremendous effort by the US and Israel to destroy the centrifuges in Iran's nuclear project, they spent many billions, tens of billions even, developing a little software that big that could go around the world and get involved in those Siemens controllers. So I can't do that. I cannot spend tens of billions protecting myself. Is there somebody out there protecting me? So I talked quickly about the executive orders from President Bush. Obama's put those out. There's many mandates that the government is putting on health care systems, all of these critical information systems. Not directly, but by requiring others to do it. I would say because you have a little balance between what is intellectual property of a business? What is your personal information? You probably don't want the government going in and encrypting your data. Not these days. Right? So there's different authorizations that different government agencies can have. So for the electrical grid, the government can't come in and try to help secure the network, look for malicious activity and clean it because they don't own that network unless there's a partnership between government and industry. So that's one option. Excuse me. It has to be the utility then. It has to be the utility to protect the utility facility. That was just an example. So the critical infrastructure sector is right there, 16. So the example I used was utility, but it could be just as much as a local bank or you have a t-shirt company or something like that. There's government organizations that don't have the authorization to help and of course they can't defend all of the networks. So the way to increase the security is really the partnership between government resources, state resources, industry, and really just people's personal care because it always goes back to the individuals. So the Stuxnet example is terrific. So the code generally modified some of the protocols on the field devices I talked about waiting for that Siemens piece of architecture and the published material says that it had to jump an air gap. These were unconnected systems. So some of the techniques to jump air gaps are if there's a USB device transferred between machines. An air gap is where you're not connected. You're not connected. The machine is not connected to the internet. So part of this is just personnel training. There are technical things you can do to say you can't put a USB device in this classified system. There's also procedural training the employees of things not to do and for example it was able to jump an air gap partly because of personnel training issues. And you can ask this question. I'm going to leave it to you to ask this question. But this question is really important I think. I'll be ready. I'll be safe. This is a question out of the Marathon Man movie, Are We Safe? Fact is that these bad actors have risen their level of skill, their level of money they spend, their ability to hack into anything and everything and they know our systems really well because we're mostly a transparent society really and they could right now they could, you know, I don't think it's an overstatement, they could bring down the grid in any city, one way or the other. So the question is, tough question, you can pose it. You just kind of asked that. Okay, yeah, I know. And then we're short on time, right? So let me jump into it. Are we ready? Are we safe? Go ahead, jump in. Yeah. So a bunch of techniques. I read this article the other day, I got an email that said there's going to be a shortfall of 1.8 million cyber security professionals by 2022. So I did the finger math, that's five years out, I didn't believe it. It sounds, the population of the United States is about 300 million, right? But I looked it up and in fact that's the estimate. So we have some significant work to do as a country in STEM education to make sure that we're growing these cyber professionals to understand some of these implications. And one of the things we do is I'm trying to allude to some of the earlier questions. There's some tools that hackers use, there's procedures and tools that we can use to test the vulnerabilities. Teaching the students, how do I do proactive system security? I need to put on the hacker to understand how they're going to break into this. So we talked about every hacker is essentially, or rather every cyber security guy is essentially a hacker, right? You have to think as a criminal. Right. You can't defend if you don't know what's going to come after you. So this is, you bring up excellent points. So how are we doing as Hawaii to bring up our own resources here in the cyber world? Tell me a little bit more about your program and some of the successes you're having at the University of Hawaii. Great. So University of Hawaii is a 10-campus system. We have a few four-year universities, colleges, so Manoa, UH West Oahu, and Hilo, and Maui College. But I hear you're a star. No. The students are the stars. They're amazing. And then all of the community colleges. So we have a partnership system-wide. But what we've tried to do is we looked at what are the industry best practices for cyber education, right? Some of these are put out by the National Security Agency, Department of Homeland Security. So system-wide, what we've done is we've strived to get certified as national centers of academic excellence in cyber defense. And in the system, we've attained three different certifications. So at the University of Hawaii, Manoa, they're certified as a Center of Academic Excellence in Cyber Research. At Honolulu Community College, they're a two-year Center of Excellence for Cyber Defense Education. And at UH West Oahu, we were just certified as a four-year Center of Excellence in Cyber Defense Education, which gives the students on Oahu in all of the islands incredible opportunity to jump into this field, one, to protect the critical infrastructure of the country, their families, the things we need. But two, I think what Dave said on your show last week, the unemployment rate for cybersecurity professionals is about zero. Yeah, sure. Our area ahead is UH ahead of other states, other state universities. I think I'll just go with the facts, right? Of course, I'm going to say University of Hawaii, right? But we are the only four-year institution that is certified as a National Cyber Center of Excellence in Cyber Defense Education. Well, you can do, what, how many millions do you need? We need 1.8 million. 1.8 million. Let's have a whole room out of here. And if you guys want a good career, this is a fabulous career. Absolutely. This is, I can tell you, I code once in a while, can you tell? And I got to say, it's very gratifying. Code? Not the hacking part. The coding part. So you can close. You got a close now, Derek. This is your opportunity, summarized and close. You know, I'm very glad to hear your program is so strong. Thank you. And if you don't mind me, I'll teach your horn a little bit. I heard you guys did really good in a recent competition. The students are amazing. The National Cyber League is a competition, 155 schools, 2,000 people competed, and the students won it this year, best in the United States. It was an amazing feat, and it's just the students running with it. We don't have to do anything. That gives me a warm and fuzzy knowing that you're raising up individuals that can protect us. It's, really, we do not have to pay attention to this. We let these students go, and we've got some smart kids on this. We've got to pay more attention to this is a very important area.