 yourself. Bingo! Four o'clock rock here in our flagship energy show Hawaii the state of clean energy every Wednesday at 4 p.m. and today we have a special guest Jodi Ann Ito. She is the CSO at the University of Hawaii systems and that stands for Chief Infrastructure Information Security Officer. Welcome to the show, Jodi. My co-host over there, Les Tanayama, welcome to you. How are you doing? I missed you last week. About cyber security, what? Yeah. And hopefully she can protect all that good energy work we're doing with Larry. Yeah, okay. Oh, Larry, nice to see you. It's been a while. It has been a while. Welcome back to Think Tech. Thanks. So you have a movie, let's talk about your movie, Marvin's movie, if you will. Sure, we can kick that off. Last week was the energy conference in Maui. It was record attendance. It was a very good showing. Many familiar faces, but a lot of new faces, which was also pretty good. So yeah, very enjoyable two-day conference and a little site visit on Friday, which about a dozen people of curious minds went for the ride. So it was nice. Okay, let's see the movie then. Sounds great. So we're here at the fourth annual Maui Energy Conference and once again, Maui Energy is a sponsor just because we're really excited about furthering the dialogue about the 100% clean energy goals we have for our state and just all the different mixes and elements that need to come into place for us to be able to achieve that 100% goal, in particular energy efficiency. Any time that we have an ability to, in a respectful manner, talk about our views for the future and how to get there, bring it on. I think we need to do more of that and not only on energy, but on everything. You know, I think we've become somewhat complacent and leave it up to others because it's easier, but that doesn't necessarily get Hawaii to where it has to be. Energy and for Hawaii, again, being one of the most falsely dependent states in the U.S., our own energy independence, as well as our ability to create our own future and road map going forward, it is so important. That's why it attracts all of these very influential people coming here to basically move the state forward. Okay, we're back. We're live. Larry, tell us what we saw there. Well, the greatest value for a lot of us is just the networking opportunities. It's really difficult to get five minutes with someone you really need to catch up with and not everyone can get the Maui all the time, so that was great. There was a lot of brass there, wasn't there? There was, there was. I saw Ellen O'Sheema, I saw Brian K. Loha. That's right, Connie. And a number of people from the mainland that are interested in Hawaii for a number of reasons. A few of the other things that I think is important is that it really provides continuity and progress. So this is the fourth time that this has happened, and in that short period of time, a lot has changed. It's also helped the state have a conversation about refining the state's needs. A few years back, it was just the clean energy initiative. We were aiming for 70 percent. Now we're aiming for 100 percent. It's not simply renewables and efficiency. Now it's the grid. It's storage. And the last big change this year was quite a lot of conversation around mobility, transportation, and urban planning. Interesting. All in the context of energy. Yeah, that's great. Yeah. So if you had to pick one theme that was, you know, central in this particular conference, what was it? I think a strong theme throughout is the role of storage. If I contrast it to prior years, they made a big impact. And it's not only, you know, there was a number of local companies like Hulu, but Dynware was there very much in a capacity similar to what most people in the public are aware of Tesla, but also equally on the residential and the commercial side. And the uses of storage, you know, for those that are new to storage, I count myself among them. The value that storage brings is not just only storing energy. So what services that provides in the context of a larger, what are we going to do about the grid was really, really insightful. Were there any revelations, any hot news, you know, that like people did not know about? I think that the transportation aspect played a stronger role in the overall conference as far as the schedules and just conversations. And that was a big change in the past years, too, because we're all focused on, you know, the power electricity thing of HECO and things of that sort, but more and more it's about transportation as well. In the past, this conference has focused on the model of the utility model in the future. What is the discussion of that particular and very important issue? Yeah, I think that there were voices, you know, a number of positions. I think there's, you know, at a very high level of consensus that things are going to evolve and change, but there were pretty strong voices that, you know, a utility in some way, shape, or form does play a valuable role and will be present. Another perspective was that the opportunity is at the edge of the grid where, you know, who's going to connect to the grid and what services are going to be connected to the grid. What we often hear are parallels with the telecommunications industry as well. So all that was discussed in a number of, it came up in a number of segments. Two-day conference? It was a two-day conference. Yeah, started the first night, two full days, like I mentioned, and you saw in the video, very well attended, and then Friday there was a tour to the technology park. Well, in Kihei, that's really nice, isn't it? Yeah, we visited the Maui Brewery, and aside from being a brewery, which is very fun and interesting, captivating, great tour, but they've gone soup to nuts on efficiency from an energy standpoint, a manufacturing standpoint, very big on PV and storage. But the thing is, it's not because they want to be green, it's because it makes economic sense. Sure. And I would add, I overlooked the, another strong theme of the whole conference was resiliency. So aside from just being smarter with energy from an efficiency and renewable standpoint, in the context of, you know, global climate change, things of that sort, the value, the importance of resiliency and the challenge of how to value that also came up. So quickly over the past, you know, two to four years, the conversation has gotten quite complex. Sure, just as the industry. Sure, Diane, you had some cross-examination? I did, actually. So, and it goes to the resiliency piece of this, too. So, so much of the energy tied to the grid is now interconnected with networks. And so what are the security challenges related to that? Being a security person? You should be able to tell me. But, you know, from what I can recollect from the conference, there was a definite theme or concept of, do you firm up to be resilient or do you retreat? Right. So I would say that the geographic location of assets, if you will, that are vulnerable along the coast, and then in general, just with storms and things of that dominated the conversation. But you might want to recommend the planners for next year that that could be a prominent place in the agenda. In the space that I play, we work with a lot of critical infrastructures. So, and then energy is huge, right? How do we, in our little contained state, we can't draw energy from any other state? How do we ensure that we are resilient and able to at least meet our critical needs? And, you know, there's cybers everywhere now, right? And there's so many unintended consequences with things connecting to our network. And so, to me, it's like, I need my electricity. I can't power my devices without it, right? So, yeah. It's a nice intersection. All right. We're at the end of our first segment here, and I'm going to leave it to you last to take a break. Thank you. You know, the biggest question I had for Larry and the conferences, we were very, very fortunate that Carolyn Sean, energy office, as well as Caroline from your office, came back to Honolulu on Friday and gave a talk to us as a opening statement for our ASHRAE conference, and which is Air Condition Engineers. And we met at the University of Hoi An, so I got a little preview of exactly what you said of what was focused upon, and we had some great discussions post that with the various speakers. So I think the Maui conference led to other things. Yeah, I think that's a great thing. Yeah. Well, thank you, Larry. Larry Newman of Hawaii Energy, coming down to talk to us about the Maui conference. Always a pleasure. See you again soon. Promise me. Hi, I'm Tim Apachello. I'm the host of Moving Hawaii Forward, a show dedicated to transportation issues and traffic issues here on Oahu. Join us every other Tuesday at 12 noon. And as we discuss how we try to solve our traffic headaches, not to not to include just the rail, but transit and carpooling and everything in between. So join us every other Tuesday, Moving Hawaii Forward. Thank you. Aloha and happy new year. It's 2017. Please keep up with me on Power Up Hawaii, where Hawaii comes together to talk about a clean and just energy future. Please join me on Tuesdays at one o'clock. Mahalo. Hello, I'm Dean Nelson, host of Planet of the Courageous. From a Tibetan point of view, we chose to be on this planet because we enrolled in a sort of graduate school for courage. Just that we may have chosen this adventure is a leap of logic. The question is, how do we spend and make sense of this precious human life? We are, as a species, extraordinarily successful, dominating the planet and now with planetary-sized problems that our existence itself has created. It takes courage to face not only the uncertainty of life, but also the challenge of sustaining this gift of life for future generation. Join us every Monday at 3 p.m. on Think Tech Hawaii. Aloha. I'm Carol Mon Lee, and I want to welcome you to our newest series called Education Matters, where we will explore education-related topics that touch everyone, not just formal programs in K-12 and higher education, but also broader issues and information that affect our community. Aloha, we're back. J. Fidel here. Oh, no, I'm not J. Fidel, but I'm here with J. Fidel, and we're here with Jori Ito from the University of Hawaii. She's the CISO. You remember what that means? Yeah, no, I can tell you what that means. That's the Chief Information Security Officer. Yeah, that is correct. Okay, so another question is, what is a CSIO? Really? So my job primarily is to protect the information assets for the University of Hawaii's system. This is a big job. It is absolutely a big job. And especially with the university, we're very decentralized, we're huge. My job actually encompasses all 10 campuses. And accounts for both the administrative of oils, the academic and research sides of the house. So how do you do that? With very little sleep. A lot of it is to understand and do an inventory of where our information is, what's very important to the university. So creating that inventory of what we identify as our critical resources and assets, and then trying to protect those. Because we're an academic network, we have students coming and going all the time, they're bringing in their infected laptops to our environment. Oh, sure, by the thousands, yeah. Absolutely. And we need to be open. So we cannot have these corporate borders around the networks that say Bank of Hawaii or Hiko or any of those other major corporations would have. We cannot block access to sites, even to try to prevent access to malicious software. We have people doing research on malicious software. You got to go everywhere. Absolutely. You have to go everywhere. So again, it's identifying your critical assets and trying to put the borders or protections around those specific things. Okay, what are your, what are the things you worry about? I mean, what are the, you know, the phenomena that you're worried about attacks coming from? So it's a multivariate threat vector, as we call it. So we actually have to protect the network from ourselves, right? Because humans are responsible for probably, I would say the majority of the data breaches that go on. We inadvertently give out our credentials to phishing attacks. We install malware in our systems because we're duped into it. We sometimes email spreadsheets containing sensitive information to the wrong places. We don't protect our servers. So humans, the number one cause. But beyond that, it's about understanding that there are, what do we call them, hostile nation states that want some of our assets, right? So there is a story that I heard from another university where the faculty member doing research went to patent his research as intellectual property. And when he went to do that, it was already patented. So somebody had stole it and patented it. So that he actually had to license it back to carry on his research. So this does go on. And so the other types of problems that we see is with the financial gain, right? So there's these criminal elements that want to make money. And a lot of them, they'll do things like ransomware, right? Well ransomware, sure. They want to encrypt their data and you have to pay them before you get your data. Does this happen? Absolutely, it has happened. Luckily for us, in the instances that it has happened, those servers have been backed up. So we didn't have to pay the ransom. We are simply able to restore the information back onto the servers. But what that where it did happen is when we got introduced to less is as more and more devices get connected to the network for the convenience and the ability to monitor the sensors with building automation systems. We had a server that had some, it was an HVAC server and that one got compromised by ransomware. So and it was a server that we didn't even know popped up on the network. It had still the default passwords on it. Oh no. So right. So we need to be also be able to work with our third party vendors to be able to help them secure their assets on our networks. So I mean without telling too many secrets here, how do you, you know, protect all the old, that's a lot of stuff to protect. How do you do it? It is. And again, so knowing what's important, critically important to the university. So I mean, and this is where I'm going to be a little bit and say, you know, what HVAC system to what I do. It doesn't have social security numbers. It doesn't have credit card numbers. A little less. It's very important to him. A little less important to me. So but it's again making those decisions around which what is really important. And then putting our defenses around those What's a given example of a defense personal information system and how do we protect that? So we do it in a number of different ways. So we call this layered defense. So we actually will protect it by firewalls, by our network architecture to be able to create those private protected spaces. And then we also protect it by only allowing certain people to get into that information. So credentialed access. So this is a lot of work. I can see two o'clock in the morning trying to figure out because you have to you have to be perfect. You have to figure out where no, there are no holes. That's actually a good point. We don't have to be perfect, but we have to be able to identify when something bad is happening on our network. Okay, let's talk about that. All right, something bad is happening. Yes. How do you know? Does somebody call you in the middle of the night? Say Jody Ann is something bad happening. And when you find out, what do you do exactly? So it depends on the asset. And actually, we don't get a lot of I personally don't get a lot of midnight calls. I haven't gotten a couple like 11 o'clock at nightish. But and that was in a particular instance where one of our database administrator noticed the strange anomaly where many passwords are being changed at one time. And it's like, Oh, that's a problem. But it's a matter of looking at the logs and trying to look at all the information we have available to us, bringing in the subject matter experts who can help us identify. We have them. Yes, we actually have a lot of them on hand. Well, yes, in Hawaii. In Hawaii. Yes, we need more. We always need more security professionals. Yeah, okay, okay. And we also go to the computer science training. I like computer science graduates. All right, okay. So but the other thing we need to do is to ensure the people who are system administrators, network administrator, database administrators, they have some level of security awareness and training so that, you know, they can identify within their areas of expertise what is not right. Okay, so you find something is not right. And you know, you're homing in on it. You're figuring out who could this be? Maybe you know a little more about it. What are they doing? And how are they achieving some male purpose? How do you stop? What do you do? You shut it down. Don't tell any secrets now. No, not no secrets because this is basically what we call pretty standard incident response. So it depends again on if we suspect we're going to file a report with the FBI, what kind of information needs to be protected. Yeah, because sometimes they would want to see what's going on on that computer and it's only stored in memory. So if you were to turn off the computer, you would lose that information. Yeah. So in those cases, if we want to just stop the activity, we might just ask them to unplug it from the network. So the system would stay up and running. The information would stay contained in the memory. And then we can actually have people come in and do what we call forensics. Absolutely. And then try to figure out what happened. Who did this? Who did what. So are you looking to prosecute people who fool around? If we can identify, so what we would do is we would call our law enforcement friends, HPD, FBI, and they would have the ability to collect the evidence to determine if there's enough evidence to to create a case. Yeah. And a lot of times if they can identify that the actors are coming in from different states or it's occurring elsewhere, then they would create a case that's coming in from, you know, sources coming in from different places. Well let's take a, you know, a case, a case study. So somebody runs into your office and says, Jody Ann, Jody Ann, we found them, we got them. You know, he's in Mo'ili-Ili, okay, and he's doing malware on the university system and we got him, we got his name, we got his IP address, we know what he's doing, and my question to you, CSIO person, okay, is do I call the police? Do I have this guy indicted? Do I have him prosecuted? Are you going to testify? So it depends on who actually does the forensics to get the information. That law enforcement can then use to, you know, put into their case. So and generally it won't be me because my job is more like the product manager, I'm organizing, coordinating, orchestrating, but the people who are actually going in and doing the deep dive would be the forensics experts and in those cases, if we want to prosecute, we might actually bring in a authorized or a very specialized commercial company to come in and help us do that. Yeah, yeah. Because they know exactly how they need to preserve the evidence. They want to have that ability just in case. But I wonder, but you mentioned in passing earlier about state actors, you know, and that can always concerns me. I mean, look what happened to Sony a couple years ago, and there was no good reason to bring Sony down like that, that, you know, Kim Jong-un was just having a bad hair day. But, you know, somebody supposed some state actor with all kinds of resources wanted to injure Hawaii and through that, I mean by virtue of injuring the University of Hawaii, could this happen? How, what would you do and how exposed are we to that? So, I would suspect what they would do is use the University of Hawaii's networks and assets, computer assets as a jumping off point. So, and they would want to hide their track. So, they would come in perhaps from another state, come into the University and then have to get another place. It's really difficult to try to trace all of the actors as they try to, they're really good at hiding their tracks. And so, most of the times what would happen is law enforcement or there would be other external agencies that would tell us that we suspect, you know, X is in, and they actually can't attribute the, if it is a hostile nation state, because that is protected information. So, all they can do is give us indicators and say hey look at this computer and so then we would try to assist if they need it. But in general for us, it would be really difficult to identify if it's coming in from a particular. Okay, suppose I'm Joe Tanaka and I'm a sophomore and I have a computer and maybe I haven't put any virus protector on it and it gets all garbled up and there's malware on it and it's, you know, it's hopping with little, little buggies. Okay, we're going to pop it up like crazy. Pop it up and down, yeah. What are you going to do for me? What are you going to tell me to do? So, actually, we as a university, we don't actually work on people's personal computers in particular unless they say okay, we won't hold you responsible. Well, I won't in case you delete any of our information, right? Because, you know, as you're going off and removing malware, it is possible that we could actually delete anything mistakenly. Turn paper, what not? Yeah, the computer ate my paper. In this case, the virus ate my paper. So, we're very careful about that, but if they do want some assistance, we'll provide them some direction. Like, here's some free tools that you can download and use to try to identify what's on your computers and clean it off. A lot of times, the computers are so infected, it's very difficult to extract just the malicious software. It's completely messed and you'll have to scratch the disk and start again. Boot and nook, right? Yeah, nook and boot. Okay, Mr. Ifma Les, up to you now and I think what you might do, given that we don't have a whole lot of time, is summarize what Jody Ann was saying. Well, from what I'm hearing, Jody's job is quite diverse in a quite diverse situation and she's allowing the president of the University of Hawaii to access their network as well as they want to be freshmen and others. And because from what I hear, they have a really, really fast pipe. You know, so games. So my curiosity is, are you protecting every single asset? It's a good question and unfortunately the answer is we cannot protect every single asset. So we, again, by doing categorizations of risks, right? So if you're a student and you're coming and going and you have malicious software on your computer, and let's say we get an external report about it and we know that you're on the, what we call the wireless network or the general purpose network, we probably won't be able to come down and say your computer is infected. So they will notice it in other ways and we can try to help them at that point. But no, we cannot protect every single asset, every single student, every single person at the levels that we would for our critical assets. So as you know, I do a lot of work at the universe. Yes, you do. I like energy and administration loves it even more than I do, but they want the data. Correct. So we're, we actually have a private network of sorts, you know more about it than I do, that is looking at all these meters for every single building on campus. But I need access to it. My building automation system needs access to it and from what I hear even this called service needs access to it. Is there any danger between all this? Yes, there is. Oils in my pipe. Yeah, so we call this where you're interconnecting the different networks. So let's say we build a private network and make it secure, but you need access to that data but your computer's infected. Yeah. How do we protect our private network from your infected computer? Right, so we would hope that you would be coming in through a firewall that would then be able to block some of that malicious activities. So it is very important to talk to the IT people, the network engineers as these systems come online so that we can help create and architect those secure solutions to be able to help you. Thank goodness that happened because I got to go through the special network configuration with special IP addresses and security access codes and all this and I think that's the firewall, isn't it? Possibly. I would actually need to take a look. Time goes on, this is going to get more complicated. It is, unfortunately it is, but people expect it to be as simple as picking up your phone and expecting it to work or jumping in your car and getting it to start and driving off, but because people are expecting convenience in everything we do, like we have smart light bulbs, we have TVs that connect to the internet. Oh, you have the internet of things. Oh, amazingly. And so, you know, your job is going to be more complicated but the stakes are higher all the time. Absolutely. Great universities require great security, may I say that here. It is very important and we need to grow more security professionals, that's my pitch, you know.