Streamline Your Security Pipeline Deals with airSlate SignNow

How to create outlook signature

all right hopefully uh been seated now so again just welcome to today's webinar uh excited about this webinar focusing on the new tsa uh pipeline security directive again uh name's mike hoffman um uh principal industrial consultant here with dregos um just want to go over a couple of housekeeping things though before we get started with the webinar so this session is being recorded and a recording will be going out to those attendees after the webinar also um we have muted the lines and but we still encourage you to interact with us so you can interact with us via chat one thing um so so as webinars going along please feel free to use the chat to submit questions as we go uh after the webinar uh we'll have some time for q a uh we have also um just so you're aware we've also disabled the q a capability though just to allow a little bit more privacy for the attendees so the chat sessions just go to the uh the speakers and moderators and we will be you know working with those going along with that said um we want to do a quick introduction and and uh for the folks that are on um you know that are working on the panelists today so first of all we have jim gilson uh jim is a technical leader global services team jim focuses on um you know doing assessments in ot and that kind of thing jim has been involved in multiple large scale initiatives including developing you know national uh cybersecurity standards doing maturity evaluations across large corporations and so forth doing architectures assessments and also very very involved in different standards and regulations bodies sam wilson also is with us sam is the product marketing manager here uh withdraws over the dregos platform sam loves working with customers being able to solve some of the toughest challenges with cyber security regarding the platform and its capabilities improving asset visibility threat detection vulnerability to management with that let's go for the next slide so before we get started here just want to do a quick overview of dragos i know most of you if you come to this webinar today have come through the channels of drago somehow so i'm sure there is some familiarity there but nevertheless want to kind of go through and talk about the different pillars of drago so dragos is a technology company built up around different capabilities the first one around of course uh is is within you know that community focus safeguarding civilization with a lot of our programs and those kind of things out in the community such as um uh you know different things we have our intelligence arm with dry ghosts doing uh you know looking out that forward looking looking out in the throat actors those kind of the people that are targeting uh these infrastructures also with our services teams uh from consultancy and penetration testing risk management so forth all of those different pillars if you will to feed back into our technology stack our dragos platform and those kind of things looking into being able to detect uh through looking at network protocols and so forth looking at behaviors uh understanding your asset inventories getting that visibility understanding traffic lows and so forth so dragos again it's made up of multiple different facets all those things here to serve and support the community and one of the ways we do that is through this uh you know this you know looking out within changes that are going on in the community such as this tsa directive that we're talking about today with that i'll hand it over to jim and let him kind of walk us through some of the things that are going on here with that though before i do that just the agenda today though is the really the timeline of events uh thinking about what's going on with this standard the tsa standard so we have you know that you know with the the standard has kind of matured quite rapidly uh through the the two series we went from b to c uh so here today we're talking about you know with the events of this uh kind of leading up to this new standard or or this new um document that's come out and also looking at ways to that uh the drago's platform and and other piece parts and pieces of dragos can support the community through this effort so i know these uh require a lot of effort a lot of time commitment from folks and and we're here absolutely to help and support your needs where they seem fit so with that uh we hand it off to jim and we'll get started thanks mike um so taking a look at the timeline of events uh it really kind of stemmed from the colonial pipeline attack in may so i was sort of a primary forcing function to tsa developing the series of pipeline security directives um so to start with uh on may of 20 uh or on may 27th of 2020 um 2021 tsa released its first security directive uh for pipeline owners and operators um this was uh fairly uh benign it was just as a way for them to start saying okay we want you to start thinking about cyber security and and have at least a minimum set of things that you're doing uh related to that um tsa had previously released uh the a series of pipeline security guidelines uh back in 2018 and then they updated it uh in 2021 uh and so one of the uh they basically were saying okay we understand that we've released this we'd like you to start uh really looking into how you can work with that so the first thing in the first series of pipeline directives was establishing this cyber security coordinator so this was a single point of contact that tsa could go to to to understand the way that that organization uh did cyber security how they uh who they could contact in case they needed to to find out what was going on uh maybe they had a cyber security incident so tsa wanted this single point of contact to uh have at their disposal um and then they were also required to sort of report cyber security incidents to cisa within a certain amount of time the recent version says within 24 hours so basically in case the the organization does suffer from an incident of some sort they needed to report that to the government agency to tsa so that they could start to plan for any long-term impacts or anything like that um and then related to that pipeline security guideline um tsa wanted the uh pipeline owners and operators to actually sort of conduct a vulnerability assessment of their systems against this security guideline previously it had been somewhat voluntary it wasn't like an actual uh regulation it was here's a series of things that we think owners and operators should do to improve their cyber security uh and now um they basically said okay we've had this out there for a while you should know about it and we would like to find out where your gaps are related to that security guideline then uh on uh july 20th of 2021 tsa released its second security directive um this one was much more prescriptive in nature and it had a whole series of uh um security uh critical uh critical mitigation measures is what they called it but basically these are cybersecurity controls that get applied to the system in order to improve the overall cyber security when this document was originally released it was considered security sensitive information so one of the difficulties that pipeline owners and operators had was that they could request a copy of this document from tsa but then they couldn't re-share it with their vendors or their suppliers or integrators in order to sort of add those requirements into their service agreements or their contracts they couldn't point to it they had to then go and recopy those in or determine how it would work in their environment um they couldn't share the document directly um on top of that um then they they um the information resulting from that was also considered security sensitive information um the the second point in the the directive was this idea of developing contingency plans or incident response plans um as a direct result from colonial pipeline they wanted to make sure that owners and operators had at least a plan for how to deal with the cyber security incident understanding that no system is perfectly protected and there will be incidents so they wanted to understand how the organization responded to those incidents um and then they also wanted to to understand and make sure that the organization understood how to test the effectiveness of their cybersecurity practices so not just putting things in proact um as sort of a preventative measure but then finding out how well they're actually doing with those uh cybersecurity measures and how well their plans match up to uh the desired uh level of cybersecurity protection um so tsa spent time uh over the next year evaluating um not just owners and operators but also evaluating and receiving feedback on those cyber security directives um in may of this year may 29th of 2022 they released a revision to the first cyber security directive this was mostly to reaffirm the original version there weren't a lot of major changes um i if i remember right the may 20 the the one that was released in 2021 only had a year long before it had to be renewed and so this this version earlier this year was just a sort of mostly a renewal of that next in early june tsa listened to some of the suggestions they got from owners on operators and and decided to remove the secure uh the security sensitive information marking on the original uh version of the second directive and what that meant is that now the owner operators could like just attach that to a contract and say you need to meet the cyber security requirements as part of our contractual agreement instead of having to re-word or or rephrase those requirements which made it a lot easier for the owners operators to to work with um and then on july 21st so just about a month ago tsa released a revision to the security directives and that's what we're going to be kind of focusing on here within this webinar and we'll get into the details of what's included in the document here and shortly um now one of the things about the most recent revision to the second security pipeline directives is that it was a major shift in focus from what they released in july of 2021. the first major thing is that they changed from very prescriptive requirements to what are called sort of more functional or performance based requirements so instead of describing how and how soon very specific technical things had to be done they switched to a more functional and performance-based language to saying okay this is why or this is what we would like for you to accomplish and this is why we would like you to accomplish it and what that did is it allowed owners and operators to find the technical solutions and find uh and make those risk-based decisions of what they would actually implement at one particular time that met their particular needs another major focus and shift was sort of realigning the standards and requirements with ones that are more industrial control system or ot uh align standards um so there were less specific uh requirements that are that are sort of i.t focused and understanding that there is a difference in the environment uh for ot and so that's that was another shift as well uh and then lastly there was a sort of shift in the way that they discussed deadlines the earlier version had sort of a requirement uh by requirement deadlines and so some things were 30 days some things were 15. you had to do this within seven days there was a lot of different specific deadlines and timelines you had to deal with and instead the the new version basically discusses uh an overall timeline for how the organization deals with things uh and looking at uh sort of implementing plans for how they're gonna work with cyber security so going along with the idea of those deadline changes this sort of like the three main elements in the the revised pipeline directives are this idea of a cyber security implementation plan the cyber security assessment plan and an incident response plan these aren't really major differences between what was in the original plan and what's in the revision it's um just the way they phrased it and as i said some of the differences in timing on things so the organization has to develop this implementation plan and turn it into turn a draft into uh tsa within 90 days of the effective date so that um is sometime around the 25th of october don't quote me on that date specifically but that is that is um from the effective date that should be about 90 days out and that basically was a discussion of here's the draft um and so at that point tsa and the owner operator work on basically getting an approval for that draft so it's not um that they're being held to that uh the instant they turn in that draft uh they're trying to actually make sure that that draft uh is sort of acceptable to tsa and so there's there's an approval process that goes through um and then once that draft is sort of accepted and approved by tsa within 60 days of that approval they need to turn in a draft of their cyber security assessment plan so that will be um that they have to basically say okay how we're going to assess that we are uh we are implementing our cyber security practices and policies effectively um and then also build into that um the ability to scan or measure that effectiveness on an annual basis um and then lastly is the incident response plan um the language around the incident response plan is is somewhat vague in terms of deadlines on it it just says it must be kept up to date um and uh on top of all this the security directive itself doesn't really talk much about potential penalties to not meeting these dates um that's something that tsa themselves would have to comment on directly there's nothing written into the um the directive itself discussing penalties so now delving a little bit deeper into the requirements themselves um the elements in in the the directives should seem fairly familiar to anyone that's looked at a cyber security standard uh whether it's it or ot they they all have very similar elements um and so the first one is identifying the critical cyber systems this is a main step for just about every uh single cybersecurity standard out there is understanding what you have in order to develop your protections um and from the regulation point of view this also helps the owner operator sort of scope out what the particular um what is actually under regulation so they can basically work to understand what are considered uh critical cyber systems that's actually a very specific term in tsa speak and so they can they can basically define that as part of their implementation plan next is network segmentation understanding that there are differences in the networks that are involved with it and ot systems and understanding that that boundary that may exist between those two systems is very important so to start with um they want to basically understand a lot of the interconnections between uh different systems within an environment so a lot of times they're broken into different zones and whether that zone is lower down in the architecture and more device focused or it may be things like your demilitarized zone that are protecting your ot from your corporate network they want to understand the dependencies that you have and the the act the different connections that you have going across those zone boundaries um and then on top of just understanding the connections that are going on understanding the security boundary uh protections that have been put in place so understanding the firewall rules and understanding the access control lists or restrictions that have been placed to help um sort of respond to and deal with the spread of an incident in case it happens next major section is access control and they're looking to not just look at remote access into the system they're also looking at local access so how does uh someone that's an engineer on the system uh access uh things what kind of protections are in place uh within the entire environment to sort of like restrict access uh controls throughout the entire environment um where to start with where feasible they would like to have password resets um and that there are a number of devices that get left with default passwords uh or they may be simple passwords or passwords don't get changed when people leave so they would like to basically schedule password resets where possible and where feasible within the environment um again this is sort of they're not expecting it to be done within this number of days uh after enablement uh but they basically are trying to say okay figure a schedule out that works for you to actually to conduct these password resets on top of just password security they would like to supplement that with multi-factor authentication where possible and where feasible again they understand plcs are probably not going to have mfa associated with it but maybe the engineering workstation that controls that plc or controls the um the program that's loaded onto that plc does have the ability to run multi-factor if you're accessing it remotely so they're trying to say okay supplement what you can do with regular passwords with a an additional level of security as well um and then looking to sort of utilize least privilege this is a standard uh practice that's discussed in a lot of different access control things it's it's limiting the amount of access any one particular user has to just the things that they need going along with that is limiting shared accounts so shared a shared account you can't sort of uniquely identify individual people uh to limit their ability to uh have certain privileges so limiting those number of shared accounts to the minimum is important not everything has that capability some of the older devices especially don't have the ability to to create individual accounts so they say to limit it not get rid of it completely and then one last aspect to access control is understanding that a lot of the environments within the ot world use windows and active directory or other types of centralized user account management functionality and you need to understand the relationships between the different uh domains that are set up within your environment whether that's having an ot environment that relies on some trust relationship with it or multiple domains within the ot environment or or things like that you need to understand at least uh what potentials those would lead to if there's a trust relationship between those zones another major aspect to the implementation plan is continuous monitoring and detection and i know it's somewhat self-serving to have a product company that talks about uh that builds a product in continuous monitoring and detection uh telling you that yes you have to do this but in in reality what it is is it's an assumed breach model no protections will be perfect so there's always an assumption that someone can get in if they want to get in so if they do get in how do you know that they're in there how do you know that your systems may potentially be affected so you have to add on these additional monitor monitoring and detection functionality into your system to understand those that that potential for an attack happening so monitoring and and potentially blocking suspicious or or malicious code or communications maybe that's a download of a malicious program uh or it may be uh um modbus traffic that's going across your ot boundary that shouldn't be there or something like that that that um just understanding what should be there getting that baseline of what your systems should be doing and then understanding and being able to sort of like audit when they're not uh when you see things that are outside of that norm that doesn't mean that everything outside the norm is automatically bad but what it does mean is that this is outside of what i'm expecting so maybe i should go and investigate it and it may turn out that it was just some uh emergency situation or an alert that doesn't normally happen an event-based alert or something like that but at least you have this uh understanding that something new happened and i should go and take a look at it um and then also having the ability to to collect and analyze uh intrusion and anomalous behavior so having some sort of monitoring system that sort of exists uh outside of the normal control system whether that's passive network scanning or a passive network sort of monitoring of the system um or it's collecting logs uh that are sort of produced by the individual dices themselves having something that sort of like can look over all of the systems and and uh identify potentially a threat based uh activity um and then going along with a monitoring intention um as well as that network segmentation piece in the previously is the ability to like isolate ot from the it network in case there is an incident and this is in in direct response to colonial pipeline where their i.t systems were what was truly affected it didn't it didn't um extend into the ot environment however there were those dependencies between the ot environment and the it environment and they didn't understand fully uh how tightly those were integrated so now this is making sure that you have the ability to fully isolate if you need to and understanding the potential impacts of that maybe you can work at a degraded sort of performance level but at least you can continue operating it may not be you may not have uh as a nice output or you may not be able to track things as down to like micrograms or something like that but at least you could identify uh general amounts uh of things going through your pipelines as well so the last area of the implementation plan really has to do with patch management and this is an understanding that patching within the ot environment is quite a bit different than patching within the iot environment you can't just reboot all these systems when when things happen they need to be up and running um 24 7. and so you may need to wait for the next shutdown or you may need to wait for the next maintenance window in order to to patches um so this is sort of that aspect of looking at your potential patches that are coming down the road whether that's microsoft or the particular plc vendor or or whatever um and being able to look at them and understand the criticality of that patch or update and sort of categorizing and determining what is critical and has to be done with now what may potentially have to be done later and then what can actually be put off completely because it's more of a functionality or a feature update versus security update uh so things like that um and being able to sort of like look and identify the critical things that you need to do um and applying them where it is feasible um and then implementing uh sort of establishing a timeline for how you can proceed with those set of patches um you're also trying to then um this idea of categorizing and determining criticality shouldn't be just based on your own internal experience you should use information that exists uh from sources like uh the the dhs sysa for things like the known exploited vulnerabilities catalog they provide a lot of information specific to ics vulnerabilities and and patches and updates so take a look at that to help prioritize and categorize those different patches and updates and then where you know that you may not be able to implement those patches uh or updates figuring out a way to sort of um develop alternative mitigations or compensating countermeasures when you can't apply them right away or they may not be that you may decide that the risk to applying those patches is too much uh at all and so you have to figure out another uh mitigation strategy to deal with that potential vulnerability um now the next aspect is is taking a look at that assessment plan so this is mostly about assessing the effectiveness of the implementation plan itself so a lot of what you're trying to do now is is conduct the first aspect is sort of conducting that architecture design review so looking at your systems and understanding how they're designed doing some network traffic reviews uh doing some look at the system logs that you've got configurations and understanding how it's designed and how you can sort of improve the overall cyber security as you're going along um and then looking to see how you can do more advanced testing so a lot of times an architecture design review may be either uh somewhat of a paper study or a passive uh within the system um but then how can you incorporate more advanced uh kind of testing and say penetration testing or red team or purple team testing within your environment as well whether you do that in a lab environment whether you do it during a maintenance window or something like that so uh looking to say you should look into these testing because they're they're more in uh they will get you a more realistic view of how your system actually reacts to the uh potential incidents um but understanding that there are aspects of that that shouldn't be done in a normal running environment and then lastly um developing this incident response plan um this is very similar to a lot of other incident response plans whether it's safety um or production kind of things um but understanding that uh you're dealing with cyber security so now you're dealing with um things that people may not just not be used to uh they may think it's more a production aspect and so you need to actually do things um like run tabletop exercises to understand how your people will go and actually respond to a particular incident and some of the things that they they specifically want you to call out and understand is is run sort of scenarios of segregating infected networks you know that you've got an incident in this particular facility or this particular system within a facility and how do you isolate or how do you segment that network um so that it doesn't spread around your systems um how can you isolate it and ot like we talked about before in case there is an incident on one side or the other so this isn't counting on it always bringing things in maybe something comes into ot and you want to prevent it spreading out into it or even into other facilities within your ot environment um securing and maintaining backups so this is uh always an aspect of trying to how are you going to bring these systems back up and running when you do sort of restore operations um having that way to to bring your systems back up uh that you know that your that your systems are backed up uh and can be restored you know that the integrity of the backups is actually good um and that you're not trying to um bring something back up with a corrupted backup um and then also trying to um identify sort of the individual positions and people that are going to be responsible for actually implementing this uh incident response plan so as part of the conduct conducting these tabletop exercises you're going to identify certain people that need to be responsible for certain aspects and then writing those in writing that sort of aspect into their role descriptions so they know that they're actually responsible for this it's not just they're being grabbed in case something happens they actually know that they've got this responsibility they're supposed to do these things this is who i'm going to contact if i have to do something from here um so with that i will hand it over to sam and i will stop sharing um and sam's gonna pick up to talk a little bit more about drago's services and platform great thanks jen so i mean as jim mentioned there's really nothing that's new or novel um with pipeline 2021-02c most of you are already doing these things this might seem like it's a kind of a distraction maybe you're feeling you're already overwhelmed you're under resourced how do we handle this new thing that's coming at us and and what we'd like to do as as the last part of this webinar is kind of explain some of how what we have to offer could help you to um fulfill the the mandate and some of these different controls that have been specified um jim and uh and mike and others they're they're very humble colleagues that i have but one of the things that i'm most impressed with working for dragos is we have we've had people that have been involved in writing standards at a national level serving as co-chairs on subcommittees even protecting some of the super majors like the biggest oil and gas customers and so what you'll see us sharing today is really informed by the experience of these folks that have uh joined the fight on our side so to speak all right this is a little bit of an eye chart but what i wanted to do is just to kind of start to align or to map some of the various components we have and things like our our platform um to pipeline 2021 02c um and just to make it a bit easier to consume and this is a a partial list we'd be happy to give you a a full breakdown after the webinar make sure that you that you reach out to us to get that but if you hear any vendor that's saying to you that they can help you to be completely uh completely compliant with this directive i would question and challenge that there's so many components to this that are only going to be met by a combination of automation and technology but there's a huge piece that's really going to be formalizing uh different policies you might have looking at compensating controls how do you assess what's in your environment and so it's not going to be there's no magic solution out there i mean if you think back to solar winds when it happened uh i on a podcast this morning i also seen demandian talking about that and and it was only because someone did a manual check on an mfa alert and they contacted the employee to confirm what was going on that the whole solarwinds fiasco got uncovered so just translate what you're hearing here in pipeline 2021 2021-02c back to what you're doing today right keep doing those things um and and look at this as something that you will continue doing not something new that you have to do a lot i know a lot of you on the call are either aligned with compliance uh or risk management this is still a core part of your job and this is just a way to kind of capture and formalize what you're already doing so think of it that way um but if we talk specifically around how the dragos platform can support uh different components in in the security directive there's a number where we have core capability that directly directly aligns and then a number of different areas where we can provide supporting data for example we have a lot of different third parties and partners that we integrate with maybe on the firewall side or on the sim side and so we can be part of that ecosystem uh and that combined with the services that jim will explain before we're done here uh helped to paint a pretty holistic picture but let's let's just drill in for a minute there's a few specific use cases that i can illustrate easily some of these jim covered on earlier slides so if you think of how you're monitoring for connections uh between the enterprise or the it and the ot networks um and then anything unexpected that's uh beaconing out to the internet or some external um uh network uh make sure you've got systems in place that can detect that network communication but also if there's a threat so there's a certain behavior maybe there's some composite detections you want your your vendors to be able to provide um and not just signatures but actual intelligence based on uh types of attacks that they're seeing in the field with their customers and then of course there's another big component that has to do with um having a thorough assessment of all of the assets and devices that are in your environment not only that but knowing which of those are vulnerable and which ones to pay you know to give the first priority to so once you know what's there you have to know what to do with it and the best way to know that is if you have a system that's able to give you the guidance and to prioritize where to spend your your efforts first so let's let's take a look at a couple of these um these are static screenshots of of an oil and gas demo system we have that's running our platform and this is just to give you an idea of what to expect and again if you're interested you know reach out to sales afterwards we'll have one of our solution architects um get in touch and we can do a a walkthrough of what this might look like for you but being able to process tremendous amounts of data in almost real time is critical especially for multi-site environments so what you want to be able to do is to spot unexpected traffic between locations sites or subnets um there's ways in our platform that we can logically group these things and we have a a time bar facility that lets you scrub back and forth so for doing forensics or any kind of incident response being able to go back to a certain point in time and see right at that date and time uh which devices were communicating what protocols were being used the amount of information that's flowing back and forth is extremely effective for teams of doing any kind of incident response or trying to troubleshoot or triage what's going on and and likewise being able to group things logically so you know tagging or categorizing assets so that they're presented in a way that makes sense to operators not just a big table of of data and devices with names that are arbitrary but seeing the logical function and grouping of these different collections of devices and then the flow of information between those those different components helps you to pinpoint the things that really are happening that shouldn't be or that may not be authorized i i mentioned uh knowing which devices are in your environment and believe it or not i mean this is a challenge for a lot of customers big or small um just the nature of the industries that you're working in um you know sites that are highly distributed acquisitions divestitures changes during turnover that don't get documented things that are commissioned and may not be fully uh documented it's it's a changing environment but they're long-standing environments and so we understand having visibility is sometimes a challenge but that's the foundational part to then knowing which of those systems you've got visibility into are are vulnerable and what we've developed is a system in our platform that takes those public cbss scores and our threat intel teams are analyzing all of those especially the the ics or the ot specific ones and they're looking at them in the context of how those systems or those devices are typically deployed in the real world and in a lot of cases will either upgrade or downgrade those scores uh based on um reality and not just what the vendor or cve might be saying those those scores should be so we're looking at it to give it context based on reality and then we adjust those scores um and then from that we're able to assign uh our risk level right so you want to focus on the most critical vulnerabilities first um and we also indicate uh by measure of a confidence score how certain we are that what we're seeing is in fact that device and this vulnerability does in fact uh pertain to that device so these are different measures to organize the work you have to do and and then what we also provide uh customers for every vulnerability is um a prioritized ranking list of now next or never so now are the vulnerabilities that we think you should get on as soon as you can next would be the ones that come next in order obviously and never are ones that uh we feel probably don't have enough criticality that you need to consume resources to mitigate those for all the different vulnerabilities we include a lot of detail so we describe it we have our own curated guidance so beyond just improving the accuracy of the public scores and you'll see this um drago's corrected cps cbss score here as well we we give you the the mitigating um guidance around how to deal with that vulnerability and then we're not only just doing vulnerability monitoring which some vendors provide but we're allowing you to manage um those vulnerabilities over trump over time so you can you can you can accept it you can assign it you can uh track the the disposition of that vulnerability so that you've got an audit record and again for a compliance perspective it's really important that you can you can show an auditor hey we knew about this vulnerability this is the action that this person took and all this is being logged as well so you can you've got that system of record uh to be able to go back to um in in the the summary of the vulnerabilities will include information like what ports we're seeing uh traffic going over maybe how many different source ips um we're also sending communications and then which of the products are affected right so it's important to know in your environment again so it's it's contextual this is what we're seeing and this this is where to focus beyond that we give even more granular levels of detail so the the attributes that go into the score the impact the access levels that that's required jim touched on this in one of his earlier slides because you know remember that it's not only people that have access levels devices have access levels if you've got shared service accounts guess what those devices are operating within the context of the permissions that that service account's been assigned and and so we look at the security impact of this to your systems but beyond that the operational impact as well because not only are you trying to stay compliant right and you want to manage risk you want to protect operations because i mean as colonial showed us clearly earlier this year the last year downtime has lost revenue and there's there's impact to brand and others other issues that need to be considered so we look at the operational impact as well and then we know that a lot of your environments you have multiple instances of different devices or assets so if you've got one device um at one of your sites there's a good chance you'll have that same device elsewhere we show you where else we've seen those devices sitting so you can kind of do some some batch work on them all at once again to make the the process uh more impactful with with minimal resources um and then you know if there's multiple cves that are tied to the vulnerability of those devices we'll give you that breakdown so you can see exactly what's going into those uh the confidence levels and and the scores and the now next never guidance that we provide um so jim i'm going to turn it back over to you but could you just maybe talk for a few minutes around how some of our global services complement um pipeline 2021 02c as well you might be on mute yep yep absolutely um so there's a lot of aspects here um that as sam was saying that technology can't solve everything within uh the within the otc requirements um just to start with identifying the owner operator critical cyber systems um while that is a standard aspect to almost every one of the uh cybersecurity standards understanding how that applies to the ot environment understanding how you can actually what systems may uh have a real impact on your overall production or things like that um is an aspect that we call crown jewel announce so understanding uh sort of doing that system engineering breakdown of where your syste of what your important systems are and then what uh the important subsystems are within that what the individual components are and then maybe even the functions within those components um taking a look at the sort of like incident response side um we talk about having incident response services so we we have incident response workshops where we can help you actually develop incident response plans or at least come up with plans of how you can develop your own plan we will help you sort of understand the aspects that need to get put into that and then on top of that there's an annual exercise to test the effectiveness and so that's where we can also help you sort of like run tabletop exercises and so we'll actually go through and and help you understand who needs to be involved what their potential roles are and then and then actually develop scenarios uh that are relevant to your organization um going along with the assessing the effectiveness um the uh they asked for having this uh cyber security uh architecture design review um and so we have a special or not not a special basically we we have an aspect to our architectural design review that's specifically targeted at uh sort of pipeline cyber security and and understanding uh this uh particular directive and understanding aspects that that go into uh the the need to conduct those reviews and then getting on a schedule to to conduct or or help you uh develop a plan to conduct those every two years um and then uh also going along with that architecture design review piece is is understanding how to do uh effectively assess all those aspects so not just the implementation plan but also your uh um your um your incident response plans and other aspects as well to just develop that and have it sort of integrated into your whole system and then as i said before they would like you to look into things like more in-depth uh more invasive testing and we have uh a network penetration testing uh and purple team testing that can help you to to do that and we've got experience of doing that within the ot environment uh and and all the aspects that go along with that great thanks jim and i i know also that we have for example some some folks on staff that are even former tsa auditors so there's a lot of kind of in-house expertise around practically speaking what can the pipeline owners and operators expect moving forward and we'll do our best to provide guidance to customers through that process if they're interested okay um a couple more slides and then if there's any q a let's uh save a few minutes at the end um but maybe mike do you mind doing a quick wrap-up and then we'll see if there's any questions that were submitted absolutely thanks sam yeah so if you can kind of think about you know this presentation so far and thank you you know jim and sam so much for doing you know kind of going over those two key areas but for for you folks that are owners and operators um you know today some of the the takeaways and the deliverables are are beginning to work on these plans so first of all that implementation plan that starts um the work should be getting now to do that making sure that you have an instant response plan in place and if you need to dust it off a little bit and update it now is the time to do that of course again irrespective of a tsa guideline every company that is working in the otit space needs to have an updated instant response plan so you understand you know when things occur um you know how do you respond who your teams are you have communication pathways and so forth call trees all that needs to be within there when you call who you call uh then that uh named um you know responsible party and so forth all needs that you've wrapped up and packaged in that instant response plan additionally of course that assessment plan looking at um you know building that out and making sure that you're looking at you know doing that uh the architectural reviews and looking at more advanced uh ways to assess your systems with you know using activities such as pentest and so forth so upcoming you've got a couple of due dates looking at this like the one in october for the assessment plan after that's delivered to tsa uh once they do have an approval of course um they'll be the you know um it'll actually you know the 60 days for approval and then also looking into um you know if you need support uh through these areas uh looking for you know folks that have been doing this for a while uh so you know looking at uh you know such as dragos we've been supporting customers uh on the last uh the to be a directive if you will for a while doing these assessments and architecture reviews contests and so forth and uh eager to help you as well and support you through this journey with that um now it's time for a q a again um if you do have some questions throw them in the chat uh and and we will attempt to answer those um and so but there are there has been a couple questions come up so far uh that i think would be um you know kind of worth a quick discussion uh so the first one was how do you recommend that we start implementing or creating this implementation plan so tsa has given some things some parameters how do i go take those parameters from it looks like a question from essentially from the requirements to putting on a piece of paper maybe gem this is a good one for for you to take um so one of the aspects of that is that they by aligning with a lot of the ot uh existing standards and things there's a lot of guidance material on not just what you have to do but how you can come about doing it so there's a lot of technical reports there's a lot of like rational and supplemental guidance for a lot of the related requirements um i would start looking at those first that that's a lot of material that's sort of been collected over the years um past that uh talk have a partnership with uh organizations that uh you feel comfortable talking to whether that may be um somebody that has a back channel to a competitor or maybe somebody that has a discussion between one region of the uh of a country to another region of country or to other countries or things like that find those trusted partners um and uh while i did say competitors of things like a lot of times people like move around in the industry so there's there's a lot of just sort of like um willingness to share a lot of information that you can find by sort of like reaching out awesome i was going to add some more to that team if you don't mind um i'm sure a lot of the members on the call are part of part of like the oil and gas eye sock for example those communities are a great great place to bounce ideas off off each other there is something that we launched recently called called ot cert it's uh it's a collection of free resources to help especially the smaller uh customers um learn about these things and and to have some discussion with us if there's some guiding conversations that would help them in that journey too okay yeah that's great great add-in uh next question popped in was um and i thought this was a good one um are critical cyber systems just for ot or could they also be on the i.t side oh they could absolutely be on the i.t side uh and and colonial pipelines are very cr like good example of that their logistics system that control that basically like understood what was in the actual pipeline at any one particular time was actually contained within their it systems and the reason one of the the main reasons why they disconnected the it from the ot is that they lost that understanding of what was actually going in the pipeline i mean it takes time for for oil or natural gas or or whatever to flow through these pipelines and so they have to understand where the brakes are going to happen where they're shifting from one company like one user of the pipeline to the next user they have to understand that that correct billing or the correct logistics that goes along with the the things that are like whatever material is going in that pipeline and so that connection between it and ot was very important and so they needed to understand that and know that that system within the it environment had to be protected at the same level because it was so critical to ot operations awesome another question that came up um was around and this may be the last question just due to time but um regarding patching which system should we focus on first um you know for patching um again resources are constrained so which systems do we focus on first or what's the most important for us um i would say anything that's actually providing sort of network boundary protections um should be like your your primary focus of like your first immediate focuses is updating your firewalls updating your your switches that are doing like network boundary protection um updating servers and systems within the dmz that are being used to actually provide those security boundaries from there working your way down through the system so doing that identification of your critical cyber systems as part of that it's it shouldn't be just critical or not critical yes that's important to understanding what you're scoping of your requirements for for your regulation but doing some sort of like decomposition of of your systems to understand how critical are they and once you do that then you can understand okay these systems over here are absolutely necessary to my operations or to life safety and then understanding that you have to protect those uh and trying to protect that as much as possible first and kind of working through from that criticality level no awesome yeah great response well i think that puts us pretty much at the top of the hour and probably concludes this webinar so but with that said we're going to continue the conversation so if you have further questions that they may not have had an opportunity to ask during this webinar we have got our contact information up there for you i do want to thank very much jim and sam for taking the time to put this together and also the people behind the scenes these webinars take a lot of effort from a small team of folks and i just want to thank you for that and then also the asset owners and operators you folks out there that are day in day out moving product and and doing those uh critical tasks to support our uh our civilization so with that thank you very much and we will go ahead and conclude this webinar and i hope you have a good day take care thanks