Experience & Challenges Using Asset Inventory Tools – Episode 138

Please note: This transcript was auto-generated and then edited by a person. In the case of any inconsistencies, please refer to the recording as the source.

Nathaniel Nelson
Welcome listeners to the Industrial Security Podcast. My name is Nate Nelson. I’m here with Andrew Ginter, the Vice President of Industrial Security at Waterfall Security Solutions.

He’s going to introduce the subject and guest of our show today. Andrew, how’s going?

Andrew Ginter
I’m very well, thank you, Nate. Our guest today is Brian Derrico. He is the founder of Trident Cyber Partners, and he’s going to be talking about using asset inventory tools. I mean, we’ve had a lot of people on vendors mostly talking about what’s available, how it works.

He’s going to look at the problem from the point of view of the user using these tools and why using these tools turns out to be a little harder than you might expect.

Nathaniel Nelson
Then without further ado, here’s your conversation with Brian Derrico.

Andrew Ginter
Hello Brian, and welcome to the podcast. Before we get started, can I ask you to, say a few words of introduction, tell us a little bit about yourself and about the good work that you’re doing at Trident Cyber Partners.

Brian Derrico
Good morning, Andrew. I’m Brian Derrico. I’ve been in the critical infrastructure sector for about 15 years. i Spent my entire career at a large utility solely focused on the cybersecurity requirements for nuclear power plants.

And my last role there was actually, it was the program manager responsible for the entire cyber program across the fleet. Again, all really dealing with OT type stuff and regulatory requirements.

I left in October, started my own business, tried in cyber partners, and mainly aimed to help other critical infrastructure sectors with their cyber problems.

Andrew Ginter
Thanks for that. And our topic eventually is going to be asset inventory. But, let me ask you, you’ve spent a lot of time working at nuclear.

You’ve worked, in in very old plants in, you’ve done some work recently with a very modern plants. Can you talk about, in terms of automation, what’s the difference between sort of very old automation and very new automation that that you’ve been exposed to?

Brian Derrico
So there’s there’s a lot of similarities, right? At the end of the day, whether it’s a new plant or an old plant, it is still a nuclear power plant. So there is a nuclear reaction that is heating some water. That water is heating some other water in a secondary loop that is flashing to steam, spinning a turbine, making electricity.

So that is nuclear power 101. It doesn’t matter how new or old the plant is. They’ve all generally worked that way for a long, long period of time. To your point, what you do see is the amount of digital assets in those plants is drastically different from new to old.

So in my previous role, I had done some industry benchmarks to try and figure out what is sort of the average number of digital devices that are in a plant. And it came in around 1700 or 1800 per unit.

These new plants that they’re building, they’re an order of magnitude larger than that. There are potentially 10,000 devices on a single unit because everything is digital.

I don’t know how many people have had an opportunity to tour a nuclear plant. I would certainly advise if you have that opportunity is a really, really cool thing to see. And most plants are all analog. There is a lot of analog equipment, a lot of analog indication.

And the new plants, that’s not that case anymore. So trying to keep track of all of your digital devices becomes a very important and critical problem.

For example, in some of the older plants that we worked in, as you’re going through getting asset inventory, you open up the cabinet, you kind of look for what is digital, what are the blinky lights, and you go through and that is generally a manual way that we did a lot of asset inventory.

These newer plants, you open the racks and everything inside is digital. Everything inside could be considered an attack pathway. And there were some discussions and and there’s some thought process out there that essentially calling locations critical.

Is going to be an easier way to do it because saying this entire rack, no matter what’s in it, is going to be a critical digital component is an easier way than trying to label an inventory all 50 or 60 devices. So that was a thought process that was considered.

But again, at the end of the day, every device was considered on a case by case basis. But it kind of gives you an idea of just the scale of how much digital equipment there are in newer plants nowadays.

Nathaniel Nelson
Andrew, I’m glad we’re getting the opportunity to talk about nuclear because it seems like a pretty relevant and highly important field.

And yet it never seems like we get a guest on who wants to talk about it. So where does nuclear stand in the panoply that is industrial security for you?

Andrew Ginter
Well, we’re we’re going to be talking mostly about asset inventory, but let’s talk about nuclear for a while. I mean, Brian said a few words. in a sense, he’s lived a lot of this stuff, without even knowing how unusual it is.

Nuclear is an extreme. When we talk about worst case consequences of of compromise, what’s the worst case, the worst thing that can happen in a a coal-fired power plant? A boiler blows up, people die.

What’s the worst thing that can happen in a nuke? The nuclear core explodes, Chernobyl, and hundreds of square kilometers become unlivable for centuries.

Oh, that’s very bad. So the consequences drive the intensity of your security program, and and nukes are an extreme. I mean, the only thing I can imagine that’s possibly more sensitive than nukes is, I don’t know, nuclear weapons, targeting systems, launch launch protocols. It’s just it’s that extreme.

What does that mean for cybersecurity? Well, let’s start with physical security. In different parts of the world, there’s different rules. In a lot of the world, you need a security clearance to visit the site.

So In North America, you can get tours of the site. But in a lot of places, you you a lot of stuff is classified. I don’t have a security clearance. I’ve never seen network diagrams for a nuclear site. I’m guessing a bunch of this stuff is classified. it It’s national secrets. It’s it’s it’s that intense.

On the cybersecurity side, again, I talk to people, uh, we, we serve nuclear customers at waterfall, And they do things that, seem again, seem extreme.

They might have all of their OT systems in one room, in one building, and all of their IT systems, all their IT servers, email servers and whatnot, they do have IT networks in in nuclear plants. you need to You need to schedule work crews. got to pay your people.

So they have IT and OT networks. And all of the IT servers are in a different room in a different building. Why? Because they cannot afford someone any time, someday to make a mistake and plug a cable from an IT network into an OT asset. That’s completely unacceptable cybersecurity wise.

And so they physically separate it so that as much as possible, they make these kinds of errors impossible. You can’t do it. You can’t plug the wrong cable and it’s in a different building.

Another example, you might imagine that there would be multiple security levels. You might imagine that the technology that controls the core, the control rods into the core that keeps the core from exploding is more sensitive than the the OT systems that control the steam turbines. I mean, a coalpower a coal-fired power plant has steam turbines.

Steam turbines have steam turbines, you imagine. In fact, again, when I talk to these people, a lot of nuclear sites, in my understanding, have only two security levels. Absolutely highest critical and business and nothing in between.

Again, why? Why would the steam turbines be protected to the same degree as the core control system? In part, it’s because, the physics of these systems, the steam, there are… distant physical connections. the liquid from the core heats up the liquid in the steam. And so, there’s theoretically a risk that something happening to the steam turbines could leak back into the core.

But more fundamentally, these people just say we cannot afford to make mistakes with security. And so we’re going to dumb it down. We’re not going to have seven or eight or 13 security levels. And you have to remember which is which and apply the right policies to the right equipment.

It’s going to be absolutely critical, end of story. And which room you’re in. That’s the policy you apply. Again, as much as possible, they eliminate human error.

Regulations. I’m most familiar with the the North American regulations. You might imagine, I mean, NERC SIP handles the power grid. if you If you fail to live up to your obligations under NERC SIP, what happens? You can be fined as much as a million dollars a day.

It’s never been levied, but you get fined. With the nukes, if they fail to live up to their regulations, they’re shut down. They lose their license to operate. that’s it’s It’s that simple. If you cannot operate safely, you cannot operate. Bang, you’re down. So again, intense attention is paid to the detail of cybersecurity and cybersecurity regulations.

Another example. I’m not aware of any nuclear generator. now I might I don’t know all the generators in the world. I’m not aware of any nuclear generator that has any kind of OT remote access, period.

Nothing remotely gets into OT. You want to touch OT, you walk over to the server room. So again, intense. In a sense, though, what I what I what I see of of the nukes is that they are leaders in the cybersecurity field.

They they do things extremely intensely. And as other parts of the field, other power plants, other refineries, other high-consequence sites, as the threat environment continues worsening, as cyberattacks keep getting more sophisticated, they look over at what is nuclear doing, and they pull one after another technique out of the nuclear arsenal, and start applying it in in their in their circumstance. So even if you’re not required to follow the nuclear rules, I would encourage people to read NEI, the Nuclear Energy Institute 08-09 standard, or the NRC Nuclear Regulatory Commission 5.71,

I’d actually recommend NEI 08-09. It’s more readable. It’s got more examples. The NRC 5.71 is sort of more terse and saying, here’s the regulation, follow it. But they are leaders in the space. And over time, I see people drawing on their expertise and and the way they do things.

Andrew Ginter
And our topic is asset inventory. And so, we’re talking about how much automation there is. We’re talking about how hard it is to count. Can we back up a minute?

In principle, the truism is you cannot defend what you don’t know you have.

And so that’s why we do inventory. Is that it or is there more to it? Why are we doing these inventories? What good is an asset inventory?

Brian Derrico
So it’s a great question and I’m going to give two answers, right? So one is on the nuclear space. The first answer is we have to, right? And sometimes that is, it’s an an answer. I don’t think it’s a good one, but it is answer. So we do have regulatory compliance around an asset inventory because to your point, it does sort of fuel other aspects of your cyber programs, such as supply chain, vulnerability management, configuration management, et cetera.

The flip side is it’s just, it’s a smart thing to do, right? You can’t build a vulnerability management program if you don’t know what software is out there that you’re potentially vulnerable to.

So trying to build a vulnerability management program when you don’t know what’s out there is it’s it’s a fool’s errand because you’re never going to be able to understand your total risk.

And that’s really the key is understanding your assets gives you the ability to understand your attack surface. And once you understand your attack surface, you can then figure out what are my vulnerabilities? What do I need to mitigate? What is a possible threat vector an adversary could use to attack this device or this process?

And you can’t do any of that without having the asset inventory first.

This brings us back to our topic. We’re talking about asset inventory. We’re talking about tools. There’s tools out there to do asset inventory. We don’t have to do a manual walk down and count the blinky lights in the cabinets.

Do the tools not solve the problem? is Is there still a problem when you’ve deployed one of these tools?

Brian Derrico
So there are a number of tools that do this and some are better than others right nature of the beast, but they do a great job of asset inventory. So I currently do professional services for a software company and a lot of their deployments in the OT space are generally for people that want to use the tool as their asset inventory.

Now, the issue is sort of becomes a couple of pieces uh that comes up can come up often and I i saw this in nuclear all the time is a lot of those tools that we’re talking about they depend on network traffic right so they’re looking at source and destination and they’re passively trying to piece together these are their assets on your network and this is what they do and how they do it so one problem is going to be you have assets that are not networked so If you have safety critical devices, they may be isolated. So you’re not going to be able to deploy a tool to do that. So you are going to have to manually enter those in and manually keep track of those in some way, shape or form.

And then the second piece is a lot of these tools that we talked about, they can’t just be deployed instantly. You can’t just throw a box in a rack and call it macaroni. There are architectural changes that have to happen to your network. You have to get traffic from switches. You have to open span ports. You have to deploy sensors.

And that’s where things can get a little difficult on the OT side of the house.

Andrew Ginter
So work with me. modern switches, any kind of managed switch has got a span port or a mirror port.

You log into the switch, you turn on mirroring and and off you go. You can start seeing the traffic and a lot of these these asset inventory tools can start figuring out what are the assets based on their traffic.

I get that some systems are are not on the network, the safety systems, that makes sense. But is it is it more complicated than that? I mean, I imagine you’re working with some older systems, older switches, or do any of these plants use non-managed switches?

Brian Derrico
So I’m sure there are some non-managed switches out there. I would not be surprised if there are some hubs that are still out there and kicking.

While in theory, yes, opening up a span port is is a simplistic idea. Where that turns into and where it becomes difficult is a lot of these OT vendors and and even environments that you’re in, nobody wants to change the system without vendors‘ involvement, because everybody’s scared about what are the consequences. Because again, this isn’t an IT system, this is an OT system. There could be some huge process changes and huge impacts and risk if whatever you wanna do doesn’t go according to plan.

And that’s where I have seen the most amount of struggle come from is, you wanna get some a span port, you reach out to the vendor, you say, hey, this is what we’re looking to do. We just wanna span this traffic and the vendors don’t wanna budge.

The vendor hasn’t deployed that. They don’t know what that’s going to look like. They tell you that, hey, we’re going to have to refat the entire system after making this change. now Now, meanwhile, is is there going to be an impact?

No. we We can look at switch utilization and see, hey, even if we double, we’ll double the switch utilization. you’re not gonna see a huge impact to that because your switch is only at five or 10% utilization.

But it’s just, it’s there isn’t an understanding on the vendor side. So for some of these big control system vendors, it becomes difficult for them to bless as it were making these changes. And that’s where we have seen the most amount of struggle.

And we even had projects where we had to provide a lot of the testing and we provided, this is what needs to happen because the vendor just didn’t have the knowledge.

And think as time goes on for those control system vendors that are out there, I think that’s gonna be more and more of an issue because more and more of their deployments are gonna have a requirement for some form of higher detection capability, but We can’t just say, these things are they’re in an ot environment they’re safe uh that this’s just this is not the case right there there needs to be higher level of detection and the vendors need to be more willing to work and as time goes on I think it’ll be easier but retrofitting this sort of technology in existing systems becomes increasingly difficult because nobody wants to touch the system that isn’t broke

Andrew Ginter
So A couple of quick points there. Brian used a couple of of acronyms people might not recognize. He said you might have to refat the entire system. What’s that? Fat is factory acceptance test.

It’s set everything up and test every function of the system. Emergency recovery, every function of the system and make sure that it meets the requirements that were laid out when you you issued the contract to get the system built.

Typically takes days. You have to shut the plant down to do it. So nobody wants to refat anything. So that’s that’s what the vendors are threatening, saying, well, if you make a change that we haven’t tested, we have to retest it, don’t we?

Another point he made was about, uh, bandwidth and, for anyone who, who’s not real familiar with how mirror or span ports work, you got a switch with, I don’t know, 24 ports on it, 48 ports.

It has to be a managed switch. You log into the switch with a username and password and you can configure the switch. And one of the things you can configure is it’s called a mirror port or a span port. Um,

It’s a port or, multiple ports where you send copies of stuff. So typically, if you’re going to do an asset inventory, you configure one port and say every message that anybody sends to anybody else on the system, send a copy of the message out this port.

And now… The asset inventory system can look at the messages and say, oh, there’s IP addresses in use. I wonder what kind of machine this is. It’s using this TCP port number, and it figures out what kind of stuff is on the network based on the network traffic. And the mirror port gives you that traffic.

And the throughput consideration is, I thought, and now I’m not an expert on switches, I assume that modern switches, you would put, they they have ports, 24 ports out the front, and every message that comes in goes onto to a backplane. It’s a very high-speed backplane.

And I thought that the message went to every one of the other ports, and the ports decided, do I send this out or not? And so it would go to the mirror port as well. That’s what I assumed. And so, turning on the mirror port would not, in fact, increase the, you the amount of traffic on the backplane because every message is visible to every port.

But what I didn’t get clarification from from Brian, but what it sounds like is at least some of the switches he’s dealing with, if you enable the mirror port, then the source. if If port A is sending a message to port B, it first puts on on on the backplane address to port B, and a second time puts the same message on the backplane address to the mirror port, because it’s been configured to send everything to the mirror port. And that would tend to double the amount of traffic on the backplane.

But these backplanes are massively high speed because they have to support all of the 24 ports simultaneously. So he’s saying, look, your average backplane is barely loaded and doubling the load is immaterial.

What he did not say was that configuring the switch causes the switch to malfunction. I would imagine ancient switches that were connected were around sort of at the beginning of the concept of mirror ports and and span ports might have defects in their software that if you turn on the mirror port, it might malfunction. But, he didn’t say that. I forgot to ask him. And the fact that he didn’t say it says to me he’s never run into it or, he would have mentioned it. So that’s I’m putting words in his mouth there, but I’m guessing that’s not so much a concern. The concern is throughput. The concern is testing. That’s just, people worry about

Things working the way they’re supposed to if you make a change that has not been anticipated. This is the essence of the engineering change control discipline that is, again, used intensely at at nuclear sites and used, but maybe just a little less intensely at at other critical infrastructure sites. Pause. Pause.

Andrew Ginter
So work with me. In the modern day, you’re saying, the control system vendors don’t get asset inventory. I mean, span ports, mirror ports, they’re also used for intrusion detection systems.

This is what Dragos uses. This is what Nozomi uses. the six pillars of the cybersecurity framework, the NIST framework, include detect, respond, recover. You’ve got to be able to look at what’s happening on the hosts. You’ve got to be able to look at what’s happening on the networks.

Really, the the vendors in the modern day don’t get this.

Brian Derrico
And I credit where it’s due, some do get it better than others.

However, there have been some vendors we’ve worked with that did not want to make any changes because they just wanted to give us the same system that they gave us 20 years ago. with one version, higher than than what we deployed, again, decades in the past.

And, when pressed, while the people on the vendor side are experts in what they are doing, they are experts in safety design, they are experts in PLCs and how all of these things talk together.

They’re not IT people. So when you start talking, hey, I want to open up a span port, it’s different. They don’t understand. They think it’s going to cause an impact to the system. Meanwhile, as people with an IT t background, we can see that, hey, you’re using managed switches. you can enable a span port.

The inputs are 100 meg. And, even if if all of your PLCs are, completely maxing that throughput the back plane of the switch is going to be nowhere near utilization and even doubling that you’re not going to see a decrease and it just it takes a long time to get the vendors on board and again we even offered to to do some testing and show what the utilization changes were

And, we have seen that again with some vendors are better than others. But, I feel like at the end of the day, it’s we just want to give you the same system that you’ve already had. And making changes to that is scary.

And, we’re an isolated system. So, we don’t need to deploy a lot of that technology because we’re just going to stay isolated and and not connected to anything. And the reality is that isn’t as effective either because you While you lose the sort of network attack path, you still have several others, such as physical supply chain and portable media.

So having detection capability is actually, in my opinion, it’s worth the risk of plugging that thing in as long as you have a sound architecture. And that’s where some of the struggles begin with changing sort of that mindset from on the vendor side.

So for example, some of the control system vendors that there’s workstations and stuff there, they understand that, yes, there are detection pieces. You’re going to deploy some level of network intrusion detection.

You’re going to deploy some level of SIEM agent, right?

So I need to send Syslog and we’ve had good luck, and again, with particular vendors there. Some vendors will actually included with their control system, they will also include a security suite.

So they will have their own HIDs, their NIDS, their SIEM, and that’s all included. They have a patching server that distributes Microsoft Quick Fixes and all that stuff. It’s great.

However, when you get to that lower level of your PLC type stuff where, again, we were working with a PLC vendor and they would not budge. They did not want to change their design.

They thought that the switch, there would be a loss in time of communication, which would affect the safety related aspect of the design, and they did not want to budge.

And it took two years for us to to work with them for them to understand that we have requirements and when the programs were implemented specifically across nuclear it was understood that you’re not going to go in and bolt this stuff onto existing systems but when you’re starting fresh when you’re building a system from the ground up it has to have all of these components there is no longer an excuse to say, oh, it’s and <unk> already working. we’re not going to go play around with it. It’s going to that obviously cause issues.

Everything has to be baked in from the ground up. The cybersecurity piece has to be foundational. And again, with the PLC vendors, we found it to be, again, one particular vendor, very difficult.

For us to get that through and it took a number of people, trying to work their, the PLC engineers through why this is, we promise here, here’s some data to back it up.

And they finally did agree to to use the architecture that that we were, we had kind of specified from a design perspective.

Andrew Ginter
So we we sweat blood, we fight with the vendors, we get our asset inventory system deployed, we augment it with with manual inventory for the air-gapped or the isolated networks, and we use it for managing patches and vulnerabilities.

Is there anything else we use it for?

Brian Derrico
Absolutely. To your point, Vulnerability management’s a big one, right? Because I think at the end of the day, your asset inventory is going to give you what your what your risk profile is, what your attack surface is.

Vulnerabilities is one part of that. There is another piece of it that is supply chain, right? So we talked about that a little earlier, being able to understand what are the important devices that I am going to produce procure and procure those with certain sets of requirements. That’s also critical.

Another thing that we would use it for is configuration management. So understanding what is your configuration. You can build tools, you can use tools. That tell you this is the configuration on the device.

And some of those tools out there, some of those network intrusion systems that are OT-centric can also give you alerts and understandings on what is when changes happen. You have a code download to a PLC.

Is that expected? And then also, this is the running code of that PLC, and this is what changed, and you would have visibility into all of that. And again, all based on your asset inventory and having as much information as you can about those assets.

Andrew Ginter
And if we could sort of bring it into the modern world, the, the latest automation systems have a lot of devices and asset inventory counts them. This is great.

But there’s a lot more we need to do with the information. So you’ve talked about patching. There’s a lot of We’ve had people on the show talking about SBOM, software bill of materials, keeping track of sort of embedded software when vulnerabilities are announced.

Is there automation for tracking SBOMs and vulnerabilities and doing the mechanics of patching and patching? Arguably, counting the asset is is the easiest part of managing the inventory.

Is there more in sort of that we can expect of modern tools?

Brian Derrico
I think there is. And, vulnerability management is always going to be one of the most difficult things to conquer because if you don’t have an updated software inventory, you’re never going to know what’s out there. You can do all the Windows patches in the world, but, there are obviously tens and tens of thousands of non-Windows vulnerabilities where if you’re running again, insert whatever software product, right? There are huge vulnerabilities around a lot of those. So can you automate it?

I think it comes down to you can automate the visibility. Right So you can at least understand and have up-to-date dashboards of this these are the devices that you need to worry about. Right This particular device has five critical vulnerabilities. And then that gives your your internal cyber engineers something to go after to mitigate to overall reduce that risk.

I also think it’s important from a business perspective to understand what are we going to do, right? On the IT t side, there’s a lot of patching processes and there’s, SLAs associated with is your, is the vulnerability critical, high, medium, low, et cetera.

On the OT side in general, OT is very adverse to patching and mitigation. And I agree with that in some senses, and I don’t agree with that in other senses. And I think as a business, you guys like you need to understand what is your tolerance for that risk? What are you willing to accept?

And are there areas where, yes, we we’re comfortable, we’re not patching because we have all these controls in place. And in order to get to the device, there’s guns, gates, and guards in the middle of it.

But, but hey, maybe if something really, really, really big comes out, we are going to take care of it. And We do have to come up. So I I don’t think there is a way to fully automate it, but you can at least automate the visibility.

So you don’t have people, just manually searching NVD with a software list that they don’t even know is accurate. You can get that part out of the way. There are tools out there that will help you. And then becomes a business decision and sort of a business process around, with all that information, here is your overall risk profile. What are you going to do about it?

And that that becomes the deeper discussion, again, around what specifically the business is, how much risk tolerance you do have, how much risk avoidance you want to have, and kind of go from there.

Andrew Ginter
Well, Brian, thank you so much for joining us today. Before I let you go, can I ask you, can you sum up for our listeners? What should we take away in in terms of what we’re doing with asset inventory?

Brian Derrico
Absolutely. I would say asset inventory is the most important part of your program, because if you don’t know what assets are out there, you’re never going to be able to protect your organization from somebody that maybe they know what’s out there and you don’t.

So asset inventory is critical. You cannot build upon your internal program without understanding what your attack surface is. I think another point is there are tools to help you.

This is not something that we need to do manually anymore. You do not have to go into cabinets and count every single blinky light. There are tools and you know products out there that will help us get closer to where we want to be.

And then at the end of the day, you still need an internal team that understands what the information coming back is. So if if you you know if you do need help in deploying these tools or selecting tools or understanding what the risk is, I’d be happy to help.

You can connect with me on LinkedIn. Brian Derrico, think I’m the only one. And I can help you with those problems because, again, once we once we conquer assets and get the tools in place, a lot of pieces of the program become a lot easier.

And my goal and what I love is just driving efficiency. So let’s automate, automate, automate, use tools to kind of help us see what we can and just do what we can to protect critical infrastructure.

Nathaniel Nelson
Andrew, that just about concludes your interview with Brian. Do you have any final thoughts about what he talked about there that you can leave our listeners with?

Andrew Ginter
I mean, I think what I took away from here is is, the importance of inventory and the need for automation. I mean, if a modern nuclear generator has, 10,000 plus devices in it that have CPUs in them that have to be managed, that have software that have to be managed, then you know I don’t know that a nuclear generator is that much more heavily instrumented than the average industrial thing. If you buy a steam turbine, it’s a modern turbine is heavily instrumented. If you buy any kind of physical equipment, it’s going to be heavily instrumented. This is you know There’s plus CPUs in a modern automobile.

And that’s, that’s something that fits in your living room. We’re talking about massive installations. I would imagine that a big refinery has as many as 100,000 plus devices if it’s been upgraded recently.

When was the last time you tried to manage a spreadsheet with 10,000 rows in it? When the last time you tried to manage a spreadsheet with 100,000 in it? Just manually counting the blinking lights takes a long time.

Automation to me is is essential. I mean, this is, you look at the NIST cybersecurity framework, sort of the grand compendium of everything that is cyber. What’s the first thing you do? Well, the first thing you do is figure out who’s responsible for the program and you know assign budget and responsibility.

What’s the second thing you do? You take asset inventory. You got to understand what you’re protecting. So, this this all makes sense that you need the inventory and in the modern world, you need automation. There’s no way you can do this anymore manually. So, my thanks to to Brian Derrico and, learn something here.

Nathaniel Nelson
Yes, our thanks to Brian and Andrew, as always, thank you for speaking with me.

It’s always a pleasure. Thank you, Nate.

Nathaniel Nelson
This has been the Industrial Security Podcast from Waterfall. Thanks to everyone out there listening.