CYBRARY PODCASTS

Ep.02 Chris Kubecka | Hack The World

podcast default

In this episode of the Cybrary Podcast, we sit down with Chris Kubecka the owner and CEO of HypaSec. Chris is an author of multiple books on computer science and penetration testing and has given countless talks across the globe on the subject. Speaking with Cybrarys VP of Content and Community Leif Jackson, they talk about her newest book Hack the world with OSINT.

Topic: Discussion on Chris Kubecka new book "Hack The World".
Hosted by: Leif Jackson, Chris Kubecka
Length: 35 minutes
Released on: January 3rd, 2020
podcast default

Listen to the Audio

Enjoyed this podcast?
Share it with friends now!

Summary

In this episode of the Cybrary Podcast, we sit down with Ms. Chris Kubecka the owner and CEO of HypaSec. Chris is an author of multiple books on computer science and penetration testing and has given countless talks across the globe on the subject. Speaking with Cybrarys VP of Content and Community Leif Jackson, they talk about her newest book Hack the world with OSINT.

The interview effectively covers Ms. Kubecka’s IT background, Skills required, Emerging as well as existing challenges in ICS security. Her insight into ICS security comes from her years of experience working for US Air Force, Space Operations Centre and Corporate firms. Her experience highlights the necessity of practical knowledge, Social Networking, communication and continuous education. Her experience allows her to share real world incidents and helps us understand the importance of each.

Through the interview she has made it evidently clear the huge demand for security in so many domains never thought before due to the introduction of IT and IoT for easier access and operation in more and more fields. We now know with her insight that this field is dominated by creative minds who are ready to think out of box techniques and that includes artists as well and not just IT professionals. Any background can find a place for themselves as long as they are ready to add practical knowledge and dedicate themselves to continuous education. However what good is an interview that talks of just problems and no solution? Ms.Kubecka has put forward many ways of dealing with emerging problems by providing examples implemented in Netherland railways and Japan’s preparation for the Olympics.

Here she discusses her work with Cybrary regarding her ICS course which provides In-depth knowledge of various ICS/SCADA protocols and how to work with them. The Course certainly will help enthusiasts improve their knowledge and prepare them to take on challenges in this vast field. Everyone has something to learn from this awesome interview.

You can connect with Ms. Chris Kubecka on her LinkedIn (linkedin.com/in/chris-k-6577984) and Twitter (SecEvangelism).

Transcript

Leif Jackson: Hi, Chris, super, super excited to have you here. So,I guys Leif Jackson here. Chris Kubeca CEO of hypaSec. I'm excited to have you here.

Chris Kubecka: Oh, it's great to be here from sunny Amsterdam to over here.

Leif Jackson: Thanks for coming. What brings you in today?

Chris Kubecka: Well, doing some work on a course for Cybrary, as well as some other work during this Washington DC visit.

Leif Jackson: Oh cool. How'd you get into cybersecurity originally.

Chris Kubecka: So I originally got into cybersecurity because my mother was a robotics programmer on an industrial automation system to produce cars for digital corporations back in the day. And she was a single mom, didn't have any money for babysitting. So she would bring me into work. And while she worked, she sat me in front of a green screen computer and I was able to learn basic by the time I was six. Basic, It’s a programming language. And I was absolutely fascinated with the fact that I could do things with the computer and it would do the things I wanted it to do. So, yeah, I really, really enjoyed computers. Unfortunately when I was 10. I got to a bit of trouble with them, but when I turned 18 and I was allowed to use computers again, I started working for the U S Air Force.

Leif Jackson: Wow. I guess there's two kinds of people in this world. There's those that get told by computers what to do, and then those that tell computers what to do?

Chris Kubecka: Yes. And I prefer the second.

Leif Jackson: Absolutely.

Chris Kubecka: Yes.

Leif Jackson: So now tell me about your company.

Chris Kubecka: Well, my company does a lot of, government level advisement for various parliaments and governments, that are trading block and close allies, as well as high level incident response for things that could involve nation, state, cyber, malicious activities.

Leif Jackson: Gotcha. And you hire a good number of people in your company now, Can you talk to me a little bit about what kinds of skills that you look for particularly for our audience who are looking to get into the space or develop themselves within the space?

Chris Kubecka: Well, I look for a variety of different types of people because each incident requires different disciplines within the field. And, I don't. Primarily look for someone who has a pure mathematics or computer science degree. I actually look for individuals who have more, I would say, expanded experience and, don't necessarily look for someone who absolutely must have a degree either, but I look at their passion, their talent and their ambition, and, Whether or not, they are continually, continually, educating themselves because this is one of those fields where you constantly have to stay up to date on different things and be willing to learn new things. Some of my best hires have been people with history, degrees, journalism degrees. Music theory is very big and rarely actually have I ever hired somebody who has, say all the, very, very nice degrees on paper. Because many times those individuals don't actually have real world experience. They don't know how to communicate, in a method where you can take technical information and give it to management or executives, which is very, very important to get your point across with.

Leif Jackson: Gotcha. So in terms of those unique backgrounds, like what, what do you see in people before you hire them?

Chris Kubecka: Well, I like to try to figure out what their real passion is, discipline wise, for example, I Was interviewing an Italian gentleman and his eyes lit up when I mentioned reverse engineering. And then he started rambling about how much he just loved it. And you could see the smile all over his face and body. And I was like, well, that's the area that you want to learn on and you already have a bit of basic. So we're going to actually concentrate on that because I know that you will Excel at learning that to a senior level in a fairly quick time frame. And he Did.

Leif Jackson: That's interesting. And so a lot of what you mentioned is like me, musicians are actually pretty good in this space. Do you have any theories as to why that is.

Chris Kubecka: Well, it does definitely change her perspective. I myself play quite a few musical instruments for woodwind and brass, but I've found that there's a propensity towards string instruments, whether that be piano, guitar, or everything in between. And it just seems to change the way that you think if you actually have experience playing a musical instrument.

Leif Jackson: Gotcha. And in terms of how people have taught themselves from, your in plays, like how, have you seen them? Develop themselves over time?

Chris Kubecka: Well, I've seen a bit of a mix because it can be quite expensive to get into the field to start learning. If you're only concentrating on, a US based university course or some of the commercial training courses can be very, very, very expensive. And, I've successfully seen a mix between places like Cybrary, books, peers. And, CTFs are very, very big.

Leif Jackson: Gotcha. So just switching gears a bit, you have a couple of books that you've recently written, Can you just talk a little bit about what those are? We have one right here, and who they are for.

Chris Kubecka: Okay. Therefore, the practitioner level of a person who is looking at digital security, and I say digital security, because that also involves IT, IOT and ICS SCADA systems as well. Because they're all digitized now. The first book was down the rabbit hole in OSINT journey, which, one of the main targets was the Panama papers law firm and showing how many vulnerabilities were available. But also looking at, some other targets to have a bit of fun and looking at about. 20 some different tools of how you can accomplish different tasks. And the book that I most recently published in January, is called hack the world with OSINT and it takes you on a journey, over IT, IOT and ICS Protocols and also explains the differences in the protocols, because for example, ICS protocol is not directly, like TCP IP. You have to use different tools and methods of communicating with it. However, these different types of protocols are everywhere, in the production environment, whether you're talking about water, electricity, building control systems, And when these protocols were originally developed, they did not consider any sort of security. So for example, the modbus protocol we'll take a command from anywhere at any time without any authentication. Because there is no authentication on the protocol.

Leif Jackson: So you mentioned a little bit about ICS controls. That's the course that you're doing with us. So can you tell me a few of the trends in the space that you're seeing nowadays?

Chris Kubecka: Well, it used to be that ICS production environments were for purely ICS production environments, but now to be able to modernize them and digitize them a lot of IT and IOT systems are being added into these environments. And that can be a good thing, but unfortunately it can be a very bad thing. It is now exposing these different types of ICS protocols to a wider audience, as well as introducing IT and IOT risks into a very critical environment.

Leif Jackson: Right. Can you talk about some of those risks?

Chris Kubecka: Well, the main goal for an ICS control network is for availability. So, many times there's no encryption because that can cause some latency in command, and also a lot of credentials or either very weak so that they can be quickly typed in or shared amongst a lot of engineers, which means there's not a lot of, good audit trails and things of that nature. So. When we start introducing something that might be connected to the internet or outside that control network, then somebody could take advantage of that control network and change it around. And I've seen that on many, many occasions.

Leif Jackson: Gotcha. Are there particular verticals that we're using that more frequently?

Chris Kubecka: I've seen it, there are several trends, especially in the United States about attacking different types of water systems. And that could be your drinking water systems, Reservoirs, all the way up to hydroelectric dams, which has been very problematic, as well as some of the electrical grid as well.

Leif Jackson: Gotcha. Yeah, shutting down the electrical grid or poisoning the Mississippi river would be pretty bad for the rest would not get,

Chris Kubecka: That would be a bad thing. A very bad thing. I, myself, like electricity to work when I flip on the switch and I like the idea of clean water coming out of the tap.

Leif Jackson: Yeah. So, who's responsible for protecting it. Is it business or is it government, right, like, so, and does that vary by control system?

Chris Kubecka: Well, it can vary a bit. The majority of control systems are actually privately owned in the United States. So think about all the different types of electrical companies or water companies, a major water company here in the U.S is actually a firm out of the United Kingdom. That's privately owned. And, what the government tries to do is, they try to have enough resources to be somewhat proactive when it comes to critical infrastructure like water and electricity and so forth, but it's not actually their responsibility to secure those particular private systems. They do try to reach out and have a lot of public private partnerships.

Leif Jackson: Okay.

Chris Kubecka: But, it's still the responsibility of those particular private companies.

Leif Jackson: And is that largely in the United States or is that true globally?

Chris Kubecka: It's true. Globally.

Leif Jackson: Are there any countries that are, are uniquely, taking a different position?

Chris Kubecka: There are some, for example, Japan has now passed a law where they can in preparation for the Olympics in 2020 can proactively hack any of their devices and patch them. And they are focusing a lot on critical infrastructure. So they've extended their legal reach to a lot of private companies in Japan.

Leif Jackson: Gotcha.

Chris Kubecka: And we'll, we'll have to see how that works out for the government to be fixing a lot of different devices.

Leif Jackson: And it sounds like a lot of the problems with the controls of the risks are simple passwords or sharing passwords or those kinds of things. Is that what you've seen in others? And other systems that you've even investigated?

Chris Kubecka: Absolutely. So the most juicy juice stuff that I find basically is the security misconfiguration. So weak configuration and there are certain reasons why they used to work in a control environment, but that doesn't really work anymore.

Leif Jackson: So, what do we do, right? I mean, there's, there's, everyone's got 10 devices out there. There's all these endpoints out there. There's so many ways to get in places like where, how are we actually gonna defend ourselves?

Chris Kubecka: Well, there's several ways, not every single device has to be directly connected to the internet. And I'll tell you that now it's always good to have some sort of stop gap, whether that be a router, a switch to segment your network, even at your home, you should be segmenting your network to a certain extent. But also if you can afford it, especially as a business, firewalls are great, they do stop Everything because obviously there, you could have a vulnerability on the firewall or that could be misconfigured, but at the same time, if you, actually don't connect something directly to the internet and pass it through a firewall, then, you can minimize a lot of your risks. A lot of different attacks are quite successful because they're finding low hanging fruit and there's so much low hanging fruit out there.That's the problem.

Leif Jackson: Gotcha. Okay. Could you offer some examples?

Chris Kubecka: Well, there is a big problem, with something called open DNS relays around the world. And we had thought that that problem was going away because you can use an open relay for DNS for different types of DDoSs amplification attacks. But, now the trend is there's now, I think the last time I scanned was about a month ago, there are now more DNS servers that are open relays, and that is because of different types of IOT devices. When they're churned out by the vendors, they are leaving a whole bunch of different ports, open using, older, vulnerable libraries and older Linux kernels, and suddenly things that we haven't been seeing for 15, 20 years sometimes are making a resurgence of those particular vulnerabilities that can be exploited.

Leif Jackson: So kind of bringing things back in style, so to speak,

Chris Kubecka: It's like bringing back the black plague. Yeah.

Leif Jackson: Or eighties here or whatever.

Chris Kubecka: Right. I mean, one of the others, yeah.

Leif Jackson: That's, that's, That's unfortunate.

Chris Kubecka: Yeah, it is. I think on the 16th or the 18th of October, I'll be doing a talk back in the Netherlands on how IOT can be leveraged for cyber warfare.

Leif Jackson: Gotcha. Okay. Well, Let's talk about cyber warfare. so you have a lot of experience in cyber warfare. Can you just talk a little bit about your experience and what you're seeing nowadays?

Chris Kubecka: Well, we started seeing things, early on when I was at space command and the US air force. And then afterwards, when I was at Unisys, we started seeing certain trends, and who was attacking and what they were leveraging. So back in 2009 and July, I was able to detect that a whole bunch of higher performance computers, around the UK and Europe using a higher bandwidth internet connection were infected by a particular type of malware that the North Koreans put out. So then those computer systems leveraging their speed and their performance, were then aimed at the South Korean infrastructure to try to take them down as part of a three wave attack against the South Korean country. And in 2012,I was involved with helping to restore international business operations for Saudi Aramco when the Iranians attacked them. And they again use a particular type of malware called Shamoon, where we even had a burning American flag as it was, deleting the master boot records, of the computer systems that were infected. And, these types of trends are getting more and more. Yeah, because it's much easier to launch quote unquote, a digital bomb from across the world or a different country than it is to send somebody to a physical location. And it's still quite easy to attack an organization with the phishing attack.

Leif Jackson: Interesting. And do you think it'll change the kinds of skills that are being developed in our defense industry, for example, like, Because a lot of war is now cyber war. Right. How do you think it might change?

Chris Kubecka: I think it's already changing. So we have recognition from the US cyber command and US army cyber command of the particular risks. One of the reasons why I'm here on this particular DC visit is to be part of the German Marshall fund, DC headquarters, discussions and workshop on the, joint EU US response to nation state level, cyber malicious activities, which involves cyber war. Sure we're starting to change that mindset. NATO is now quite involved with it over the past few years, as well as finally the European union, with the not current, but the last year presidency, council started, highly recognizing it as a major problem. So, yeah.

Leif Jackson: Gotcha. And is this a public as well as private industry?

Chris Kubecka: Absolutely. Absolutely because the majority of digital assets are owned by the private sector.

Leif Jackson: Interesting. And, one of the, one of the pieces of cyber warfare that's really important to companies is, Hey, cyber insurance, right? Like I buy this cyber insurance and I'm trying to defend my company against, you know, risks associated with cyber risk. Right. But what we're seeing is like cyber war is not covered. Right. So how do you see it kind of. Hitting the back, the bottom line of businesses. Right?

Chris Kubecka: Well, cyber insurance is something that's quite important in the U S and the United Kingdom, as well as a few other countries. And there should be a better distinction between, let's say the North Koreans want to just fund their regime, with a piece of malware ransomware that I would not call cyber war. But because the definitions can be very broad and insurance companies could try to deny your claim by saying, Oh, it must've been because it was a nation state. However, that's not quite the case. At the same time, if you happen to be involved in a cyber warfare, attack, let's say your platform or some of your computer systems are leveraged, because of the particular definition of your insurance company, then you might not have coverage. So, one of the problems that we're having with the quote unquote definition of cyber Wars, there's actually no international definition yet. Right?

Leif Jackson: Right. Yeah, that's kind of a problem.

Chris Kubecka: It's kind of a problem with that definition, per se. So you're like, wow, what is this? I don't know. Maybe we'll call it cyber war.

Leif Jackson: And so how do you see companies dealing with this? You know, maybe we can go by industry, you know, so in financial services, like the financial services sector is attacked by nation states. You might not be covered, right? So like how are they kind of defending against it and protecting their bottom lines?

Chris Kubecka: Well, with the financial industry, they actually are ahead of the game. So several years ago they set up information sharing platforms amongst themselves. Cause it's, nowadays, You can start seeing trends of which areas of the financial markets are being hit and they need to communicate with each other. There are other industries that try to do something similar, but there's still a lot of competition between them. So it can be very problematic. For example, the aviation industry has an ISACA, here in the U S and in Europe, but, because of the competitive nature between Boeing, Lockheed, Martin and Airbus, they don't all communicate.

Leif Jackson: Interesting. How about in the utility sector?

Chris Kubecka: They do have information sharing platforms, but they still are not as communicative as say the financial markets.

Leif Jackson: Okay. So. Information sharing is obviously critical in order to defend against everything.

Chris Kubecka: Yes, absolutely. I’ll give you a good example. When I was at Aramco, we had an anonymous campaign against the petrol industry called op petrol and they targeted Aramco RasGas and Qatar, part of Exxon mobil, international operations. The Malaysian national oil company and one of the Russian oil companies. And although we did not have formalized agreements between ourselves because we were competitors, we still utilized our network to keep communicating during the series of attacks to make sure that we could see what was coming and warn each other.

Leif Jackson: Gotcha. And obviously that happened also very recently in Saudi Arabia. So yeah. Can you talk a little bit about how that might've happened and what are some things they could have done to prevent it?

Chris Kubecka: Well, since late last year, and especially picking up steam this year, there have been several drone attacks against a Saudi Aramco. And this is very problematic because this is a new type of threat. That was not Actually planned for sure, as well as certain rebel groups getting a hold of rockets and firing them at the infrastructure, which can be a very bad thing. You know, there are a couple of things that can be done when it involves drones, drones, unless they're a military grade drone that is actually using what's called the civilian segment of the GPS spectrum. And you can actually manipulate the signal to throw off a drone. The Russians are very, very good at that. They actually have an electronic warfare center set up in Syria that has been messing with the civilian GPS portion. however, it's had some negative consequences. so one of these really airports falls in that spirit cause it's, like a sight to sight with them with limited range. And because pilots use the civilian portion. for commercial aircraft, they can no longer take off for land just using the GPS. So they have to have a different type of training to make sure that they can do manual takes takeoffs and landings at those airports in Israel. But, it diverts the drone attacks which have hit the Russians on several occasions as well.

Leif Jackson: Gotcha. So Russia is somewhat leading the pack there.

Chris Kubecka: Yes. They've actually offered to help Saudi Aramco, with their drone problem. By setting up something similar for them.

Leif Jackson: Wow. That's cool. so I guess there is collaboration.

Chris Kubecka: Well, it's one of these things where it's kind of necessary because, about 25% of the world's energy and in one way, shape or form comes from Saudi Aramco.

Leif Jackson: Yes.

Chris Kubecka: So it's kind of important to protect 25% of the world energy.

Leif Jackson: Yeah. That would be very bad if it went away.

Chris Kubecka: Yes. Yes. We don't want that.

Leif Jackson: It would be very bad On a number of levels

Chris Kubecka: On a number of levels. Yes. Because think about all the things that are made from petroleum, from fertilizer to clothing, to everyday items, to medical supplies, it is not just putting gasoline in your tank.

Leif Jackson: Sure, absolutely. Yeah, you mentioned space a little bit as well. So can you talk about your work in the space field?

Chris Kubecka: So I started in the space field with the U S air forces space command at Buckley over in Colorado. And my primary responsibilities involve the security of the command and control systems and interfacing a lot with my first SOC, a space operations center and dealing with solar weather as well.

Leif Jackson: And I'm in a different form of SOC.

Chris Kubecka: So, In April, I was at the space command headquarters for particular, a closed conference with a whole bunch of, very interesting people. And, we did some work on a, a couple of the problems that we're facing, different types of emerging technology. And what I did was in June, use some of that experience and the university of Oxford and the want for university, funded a space hackathon, Royal Holloway university in the UK. And. Well, we returned around the grand challenge to a group of PhD students to go, all right, here are some of the problems that we have with existing space and some of the problems that we're having with new space, because new space involves industrial IOT systems in the space. Yay. Not really. And so, you know, you have to deal with the fact that most space assets do not encrypt still.

Leif Jackson: Right,

Chris Kubecka: Because that causes a slowdown on the operations. You're looking for availability and space and any extra step could be bad as well as, they use a lot of what's called technician back doors, to be able to just in case, still be able to get into the system with all of the other methods fail. And we've seen that in regular IT systems posing a lot of problems because it really is a Technician back door., and, so, we've been dealing a lot with space. last week I actually did a talk for Cambridge university on responsible innovation for cyber security and new space assets, discussing some of these problems and how they can be leveraged by cyber criminal groups to hide malware, like the malware or a thing that things that they need to consider before they put something, Up in space and attach it to a piece of very sensitive legacy equipment.

Leif Jackson: Yeah. Gotcha. So it's not updated sometimes and

Chris Kubecka: no patch,

Leif Jackson: you get the new black pigs, so to speak. Now, coming through there, that makes sense.

Chris Kubecka: Or one of the bigger challenges is you might have this great idea. And I might be like, Really fantastic for security and you, and you start researching and developing it. But by the time it's launched in space, it's like two generations backwards because it takes time from the idea to paper to actually launching.

Leif Jackson: Gotcha. That's interesting, transportation systems, another area that we talked about. So, obviously a massive industrial control system.

Chris Kubecka: Absolutely.

Leif Jackson: Can you talk about some of the trends there and ways people are preventing? The problems that can happen there.

Chris Kubecka: Well, I mean, there's a difference depending on the country that you're dealing with. So, the United States predominantly has cargo for their railroad systems, not as much passenger, but the systems and the signaling systems are actually kind of antiquated in comparison to, the Netherlands, for example, or the United Kingdom. And. This can pose a lot of problems because more and more train systems, plane systems, et cetera, are being turned into gigantic computers with all sorts of sensors and things that also can connect to the internet, whether they know it can connect to the internet or not And, in the Netherlands. Our train systems are a bit different where they kind of anticipated that this could be a problem. So they went ahead and used a technology from the nuclear industry called a data diode to restrict things. it's basically a one way firewall. And if you were to attack and hack, I can’t get a shell back. Because it's only one way communication, but the U.S because it's such a. Bigger location. There are a lot of different vulnerabilities for example, there are switch boxes that you can actually physically plug into in the middle of nowhere, the United States and look at everything that's going on and maybe even adjust things.

Leif Jackson: So. Gotcha. So it sounds like, I mean, there's a theme here, right? There's a lot of low hanging, simple fruit out there across each of these control systems.

Chris Kubecka: Yes

Leif Jackson: teams should be looking at

Chris Kubecka: Absolutely. If we allow people to find this low hanging fruit, it can be a good thing. Well, bad thing for a curious hacker, somebody who makes a mistake or for it to be leveraged for crime or, for intellectual property and secrets to be stolen from it. And that can be a very bad thing. And if we can cause more effort for the average, say cybercriminal to be able to take advantage of these systems, then they're not going to be as successful. And our systems are going to be a lot safer, but we need to get to that particular point where we are a bit more proactive versus reactive and looking at our particular systems across the board.

Leif Jackson: Gotcha. So, if you were gonna recommend for SOC teams out there that might be watching this, like what they can do to defend their companies against these kinds of attacks, what would be the top one, two or three things that you would recommend.

Chris Kubecka: Well, I would definitely recommend proactively looking at open source intelligence gathering and that involves boasting, people and systems of your company, because, it's amazing the amount of information that you can find fairly quickly with using low cost or no cost tools. The same type of tools that an attacker is going to use, but it's in a nondestructive way. You're not a pen testing, something you're just looking for information and you're not harming any particular systems. So that's a very good exercise and it can save you a lot of grief in the long run. Another thing is, be sure to, absolutely understand the importance of training your individuals because it's great that they might have a certification. But what if that certification is five years old and they know about five-year-old attacks and that's a whole, almost two generations in computing. So regular training, using various methods is absolutely a necessity.

Leif Jackson: I know the platform for that, by the way.

Chris Kubecka: Oh, do you. just to begin with a C

Leif Jackson: yeah, I forget the last few letters,

Chris Kubecka: But yeah, but it's very important. Very, very important to keep training up, And another thing is, understand that, joining various communities within the security community is very important, whether that is Slack channels, forums, a training platform, looking at, security besides conferences around the world because they're free, or other like-minded types of conferences. When you run into trouble, it's a. Great to have the ability to call up a friend and go, listen, I've never seen this type of thing before. Do you have any experience with it? And leveraging that network is very important and extremely helpful, and you cannot leverage a network if you don't have one, but you can get one, if you interact with the community and inside the community.

Leif Jackson: Gotcha. Well, yeah, I know a platform that can do all that actually. It has like two and a half million people. So, yeah, no, that's great. And that's great advice for the teams because it can be tough to decide how, what to focus on with so many options out there. so focusing on just a few things, it can really cause you big bang for your buck, so to speak. Absolutely.

Leif Jackson: well, cool. This has been fantastic. Can you tell us a little bit about the course that you're developing?

Chris Kubecka: Ah, yes. So I'm going to be looking at, sharing my knowledge about, ICS SCADA protocols and a little bit of industrial IOT systems, because they're different from your regular IT, TCP IP, networking asset and the protocols are different. The bridges are different and their goal is different, we concentrate a lot on the IT world on confidentiality, but confidentiality doesn't make a power plant run. You need availability and understanding why those systems are set up that way and also understanding problems with the protocols. So it's very, very important when you end up at a company that has both a business network and then a production network that you have a good, basic, solid understanding of what you need to do to protect those particular environments. And they're being incorporated more and more, and you don't have to work for an oil company. You can just work for a company that owns their own building, and also has building control systems.

Leif Jackson: Gotcha. Is there anything else that I didn't cover that you wanted to kind of say to the audience?

Chris Kubecka: Oh, you would ask me a question. I don't know the answer. You had a lot of notes.

Leif Jackson: I did. Yeah.

Chris Kubecka: I don't know.

Leif Jackson: That's good. That means so we covered it all. Yeah. So protecting the world now. That's great. Well, thanks everybody. I really appreciate you taking the time today, Chris. Thank you for coming in, and I’m very excited for your course and thank you for joining our community and leading our community.

Chris Kubecka: Excellent. Thank you so much.