In episode 18, Alan Mihalic, President IoT Security Institute, speaks to the challenges and success factors associated with securing Internet-of-Things (IoT) devices in smart supply chains. He draws upon the IoT Security Framework to share some guiding principles and practices to help supply chain participants specify, procure, install, integrate, operate, and maintain IoT securely for smart cities and critical infrastructure.

Time Stamps

00:42 -- Please share with the listeners a bit about your cybersecurity journey?

02:17 -- How would you define or describe the challenges of a smart supply chain?

06:56 -- In fact, you mentioned during our prior discussion about the security-by-design approach, and that really appeals to me, I'd love for you to expand on that for our listeners.

14:22 -- What are your thoughts and recommendations on vendor selection and vendor management in the context of IoT devices?

29:20 -- Can you speak about the IoT Security Institute, its offerings, and its benefits?

40:57 -- I'd like to give you the opportunity to close it out with some key messages for our listeners.

Memorable Alan Mihalic Quotes

06:17

So to protect a smart grid or water supply or things of that nature, the government can't just do it, the government relies on the community and corporations to ensure they do their part. Now, that ostensibly may seem a very logical thing and it certainly is, but from a practical deployment and accountability perspective, it is a seismic shift in the way we look at security.

13:27

The underpinning success story of any smart technology implementation is to trust more. We can stand up a server if it gets knocked out, we can stand up a power plant if it gets knocked down, but when the trust of the community is knocked over, then that's a very hard thing to get back.

14:06

It's very hard to ask someone to provide all the privacy information, all of the access to things that can be aggregated and circulated when that's abused.

17:20

IoT device has to fit be fit for purpose, it needs to be able to maintain baseline security that is in accordance with the data that it's collecting, aggregating, filtering, analyzing, etc. It cannot simply be a dumb device, for want of a better word, that has no inherent security controls.

17:47

You could spend an awful lot of money on security controls, but be undermined and done in by a $10 IoT device.

Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast

Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.

Connect with Dr. Chatterjee on these platforms:

LinkedIn: https://www.linkedin.com/in/dchatte/

Website: https://dchatte.com/

Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone. I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I will be talking with Alan Mihalic,

Founder and President IoT Security Institute. Alan,

welcome. It's great to have you as a guest. Thanks for making

time to share your thoughts and perspectives with our listeners.

So let's get started with you sharing with the listeners a bit

about your cybersecurity journey.

Well, firstly, thank you, Dave, for inviting

me, it's a pleasure to be here. My journey is a long one. It

started off very much in a technical realm, working with

security, security services that evolved over time into

architecture, governance, risk management, subsequently, it

moved into advisory services. And that's spanned a period of

over 20 years now. Of late, relatively, I suppose, the the

emergence of smart technologies and smart cyber has drawn me

into that area, because it's at firstly, it's a particular

interest. And secondly, it is certainly the the challenges of

the future and as many cyber professionals will state that

the future is far more interesting than the past.

True, very true. And in fact, when we were

discussing about this podcast, and we are talking about

securing the smart supply chain, and you are talking about your

IoT security Institute, the Internet of Things security

Institute, it, it kind of brought to mind the the reality

that we face today, where the more digitized we get, the more

smarter we get, so to speak, the more vulnerable we are. While

these smart devices offer many benefits and capabilities, they

are known to have weaker security protections. They're

often not easily patchable, or updatable. So there are lots of

challenges in front of us. You know, how would you define or

describe the challenges of smart supply chains?

Well, I think firstly, we can we just look at

IoT and devices at first, as part of that overall picture, I

think that it's not just a technological change, but it's

societal change. And the emergence of IoT has affected

urban planning, engineering as much as it's impacted network

computing services and traditional services delivery. I

mean, effectively, IoT is at the core of our smart cities we live

in, the smart buildings we occupy, and, and even even the

smart bodies we inhabit. And as a result of the sheer number of

these devices, and the increasing dependency upon these

devices to function in an expected manner, especially in

critical environments, bring forward a scenario where the

ramifications of failure or compromise are incredibly

significant. We cannot afford to be complacent when it comes to

this type of security, particularly IoT security. So

the interesting thing that that could effectively be looked upon

as somewhat technology restraint. But this shift has

also caused a great deal of change in the way we just view

security and national security in a way that perhaps we never

had before. And I just like to extrapolate, like, extrapolate

upon that a little bit. The notion of protecting a nation or

protecting our critical assets is generally being thought of as

a government responsibility. Now from a military perspective, if

our nation is at threat, we have an army we have an air force, we

have a navy And the government is tasked with making sure that

that meets the the challenges ahead and the potential

adversaries that may threaten our, our existence. To put it

that way. This technology, it needs to be understood and many

are coming to it now is that it is defined security and national

security, not simply can no longer be a government

responsibility. And you're seeing that in the changes in

the way that legislation is produced the way we approach the

whole notion of being a secure society. Now, let me give you an

example. Governments have been briefed, and are well aware now

that they cannot, as, as previously mentioned, secure us

they need to rely on both the public and the private sector.

So cybersecurity is as as has been given a responsibility now

on corporations and institutions got a responsibility. And

governments are driving this down very strongly to ensure

that they meet, as you mentioned, those security

challenges that are emerging out of the IoT or, you know, bigger

picture smart technologies. So to protect a smart grid or water

supply or things of that nature, the government can't just do it,

the government relies on the community and corporations to

ensure they do their part. Now that ostensibly may seem a very

logical thing and it certainly is, but from from a practical

from the deployment from an accountability perspective, it

is a seismic shift in the way we look at security. So, we may

come in and say IoT devices, but when we look at how they are

deployed, and the sheer number of them, and the omnipresent

nature, it becomes quite a challenge. So we can say that

the conversation can be can be had at multiple tiers, with with

similar considerations.

Absolutely. In fact, you know, it is really,

you need to take a holistic approach a people process and

technology approach, you need to involve the various

stakeholders, like you said, government alone is incapable of

securing the critical infrastructure, the partnership

with the private sector is essential. I have to mention, in

the context of this discussion, in March of 2018, my city of

Atlanta suffered one of the largest and most expensive

ransomware attacks, costing upwards of $17 million. The city

and its services came literally to a standstill. You know, all

the automated operations were kind of crippled, everything had

to be handled by paper, in person payment of water bills,

renewals of business lines, licenses, payment of parking

tickets, you know, everything got affected. And, and that's

just a, well, I don't want to use the word just But that's an

example of a city getting breached. Now, think about our

nuclear infrastructure. Think about, like you mentioned, the

water systems, the natural gas resources, we are deploying

smart technologies everywhere, to enhance efficiency, enhance

effectiveness. But along, you know, while we do that, unless

we are extremely security conscious, it's going to be it

is a huge challenge. It's not easy to handle. In fact, you

mentioned during our prior discussion about the security by

design approach, and that really appeals to me, I'd love for you

to expand on that for our listeners.

Okay, well, security by design is

effectively ensuring that cyber security and principles of

privacy are included in all all stages of the design build run

process. Now. We that means that security is not factored in,

after a building or a city solution has been implemented,

but it's very much part of the entire process. And because

urban urban planning and engineering is such a

complicated area, because both in the physical and virtual

aspects, it's paramount that these checks and balances are

maintained through the process. And we can take that as simply

as saying that, again, coming back to the idea of IoT devices,

ensuring that they're appropriately sourced for their

purpose, not simply as a case of the beneficial price points and

equally, the standards need to ensure that, that the privacy of

the of the community and of the individual is protected. Now you

can, you can take that out from a device to, to the philosophy

of the city, you can take that out to the, to the risk appetite

of the community. And so security by design means to

factor in, the considerations that you would, when assessing

the risk profile, the security controls required to protect a

given asset. Now, I'd like to sort of take a little bit

further than that. Now, we often you know, for those of us that

have been around long enough and have always defined security as

securing an asset, and that asset is often taken a physical

form, but just on the previous point that, that security by

design can be taken to the investment can be taken to a

community say the state of self. Now, let me give you an example.

Um, you know, we look at the stock market, and we look at the

the stability of institutions to be able to provide a service

step that has a return on investment. Now, if we look at

that, in this context, communities, cities, have a

responsibility to ensure that they can provide all of the

services required for a day to day operation. Now, from a

business perspective, you were talking about bringing down the

services in Atlanta now, look at the look at the investment. If

we look at that meeting followed with the investment implement,

implement implications, and the associated risks associated with

doing business as we evolve into a smarter and smarter world. I

mean, would you invest into an organization or a city that has

such a potential bad record, you would have to consider that you

would have to say, well, what's their infrastructure like? What?

What happens if it all falls over? And when we speak about

the energy sector, we know that minutes is millions, we're not

talking about small sums of money. Additionally, from a

society point of view from from the welfare or mental health of

their citizens, as we ask them more and more to be participants

into this smart world, we have to understand that people by the

nature requires stability and security to function properly.

Now, if we live in a society that that has these disruptions

that there is also an a follow on effect to the community. And

just may I finish off that point by saying that often these

concerns are difficult to communicate across the table,

especially at this time in the story. In the future, obviously,

it will become easier as it becomes more prevalent. But the

argument for smart technology, we know the benefits, we know

what can be done, and we know the potential that it has. But

from a business, if I might just wear a business hat for a

moment, as cyber professionals, we need to ensure that it's not

the technology alone that needs to be positioned, but we have to

understand the core of what makes a successful

implementation. And one of those, of course is return on

investment. Now businesses, communities, government, all

look at return on investment, we provide a service as we get a

return on investment. And we we decide whether there is positive

or negative nature. No more is that

applicable to the smart technology sector. In other

words, the underpinning success story of any smart technology

implementation is to trust more. We can stand up a server if it

gets knocked out, we can stand up a power plant if it gets

knocked down, but when the trust of the community is knocked

over, and because of its by its very nature, smart technologies

require the participation and engagement of a broad number of

people across an array of areas, if trust is lost, that somewhat

comes back to my original point about the psychology of

communities, then that's a very hard thing to get back Dave.

It's very hard to ask someone to provide all the privacy

information, all of the access to things that that can be

aggregated and circulated, when that's abused. And that's

becoming another very critical area. So once again, a point for

consideration.

Absolutely. In fact, your point is your

points are very well made. Security has to be etched not

only in the organizational DNA, but also in the human mindset.

It might sound a little odd, but that's the environment we live

in. Because every step we take, whether in the capacity of a

professional or in our personal capacity, the security

implications have to be considered and I'm trying to

keep it at a level that everybody can relate to. I can

get a little more technical if I wanted to but I don't want to at

this time. But But yes, at a high level, literally every

aspect of our life, professional, personal are

getting affected. And it's a very, very difficult, formidable

challenge to get everyone to do their part. You know, I've been

saying this for a long time that cybersecurity is everybody's

business, we can have the best of cybersecurity professionals,

we can have a great design in place, we can even implement as

per plan, but to be able to sustain it to achieve almost

like a high level of precision, and, you know, to make it as

fail proof as possible, many, many things have to come

together. And that makes it a formidable challenge. While I

think of challenges, one thing that comes to mind is vendor

selection, vendor management, I've learned that the IoT

vendors don't have a great reputation of providing very

robust devices, once they have sold something, they kind of

would like to walk away from it. Given the proliferation of the

devices, the fact that we will be using such devices more and

more, what are your thoughts and recommendations on vendor

selection and vendor management in the context of IoT devices?

Yes, of course. Well, I mean, from the outset,

it's effectively a case of buyer beware. And as the as the, as

the evolution of these devices has has moved forward, people

are becoming more aware. And some of the key areas, of

course, as I touched on previously was to understand

that it's not about price point. You know, we are talking to

naturally it's a consideration, we were talking about 1000s of

devices here, millions of devices. And it's not difficult

to understand that the procurement department when it

sees the orders, and sees what the associated costs may be,

they certainly there's a push that, you know, let's buy cheap,

it's effective, let's buy cheap. But we've quickly understood

that the first thing we need to understand is, as I mentioned,

is that IoT device has to fit be fit for purpose, it needs to be

able to maintain a baseline security that is in accordance

with the data that it's collecting, aggregating,

filtering, analyzing, etc. It cannot simply be a, a, let's

call it a dumb device for want of a better word that has no

inherent security controls. Because, you know, there's that

old, you could spend an awful lot of money on security

controls, but be undermined and undone by a $10 IoT device.

Yeah, there's the old you know, this the old story about the the

goldfish bowl, you know, what a temperature sensor in the casino

where they brought down the casino through that, and that's

it's been overly used and, obviously, overly referenced.

But it's, it's applicable. And so I think that to your

question, what needs to be done is that organizations,

government, need to provide assessments and checklists to

ensure that the purchasing process is aligned to what the

product will be exposed to, and the and the risk associated to

that, to that product. And that can be driven by a, as I said,

buyer beware, we have better educated people that can make

those decisions, get the can put in the appropriate standards and

checklists that ensure that this is what we need. And that step

one will have to be a compliance governance model against these

devices, you cannot simply go out and procure something

because you think it's the best product, we need to take that

GRC component into, into effect. Equally, governments are now

around the world starting to look at actually mandating that

you know, that it has to, for a particular organization to to

procure a particular device for a particular purpose needs to

adhere to this mandated standard. So that's that they

are the positive things that need to be done. And, and I was

on a few weeks back on a bit of a bit of a panel and even

looking at the potential of labeling requirements for

products both in the let's say business sector and but also in

the privacy sector. I'm sorry, in the in the in the public

community sector, whereby and it's a challenge, we won't go

into that detail because the time isn't necessarily here to

have that break that down. But But effectively, it's a

communication education tool that enables people to make

informed decisions on what they are buying. Now if we take that

into the home for a moment, you go off Dave in to the local

store and you want to buy a device you can read on the side

of the box. This has been rated ABC And it cost 2995. The other

one hasn't been rated ABC and it costs 1095. You are then put in

a position to say, Well, what does that mean, to my family to

myself to my privacy? What does it to us? What does it mean to

us? So that's another aspect of potential labeling could could

be a way and that labeling could be interpreted within a business

context in another way. But to round off your question, it's

effectively self knowledge, corporate knowledge, standards

and legislation that ensure that we aren't always buy cheap,

because it's some, it's an easier decision to make.

To add to that, we have to have a rigorous

selection and evaluation process. In my book, I talk

about the commitment, preparedness and discipline

framework of creating a high-performance information

security culture, and one of the themes of that framework or the

framework speaks to creating this culture where every step

that an organization takes, and in this context, the one that

comes to mind is, is developing the business case for buying

anything. And business case, as you know, has several evaluation

criteria. And security has to feature very prominently,

whoever is sponsoring a particular purchase needs to

clearly articulate and know which devices are being bought

from whom, why, what steps have been taken to review, to

validate. So it has to be a very comprehensive process, it has to

be institutionalized, so it's as fail-proof as possible. Well,

yes,

sorry. And I think to take a point further, that

that is the business case, that needs to consider, as I said,

that the trust models underpinning the return on

investment, it's pointless being a medical clinic, that can,

having enormous service benefit health service benefits in

adopting this technology. And equally, it reduce it will be

more cost efficient, but at the cost of losing the trust and

breaching the law, then the business case for for the

selection process of vendors, etc, takes a different turn,

equally, equally. And I think this is one point that I tend to

really focus on is that there is a community expectation in all

of this. When you work for company A, and you sign your

paperwork saying I adhere to employment policies and so

forth, there's an HR department there, you know, there are

aspects that protect you as an individual, not just as an

employee, equally, these technologies that are out there

in the community, to be absorbed and utilized by the community

has an underlying community expectation as to what they do

and how they do it. And we need to assume, well, I don't have

given us yet, like most of us, we don't really know how the

traffic system works. You know, red lights come tell us to stop

and green lights tell us to go but behind all of that there is

a great deal of due diligence around that particular service,

there's, you know, we have a community expectation that when

one light turns red, the other one turns green. And you know,

and as I said previously, the assumption is, well, the most

people don't know how all of that works. And equally, what

we're proposing here with smart technologies, we have to

appreciate that the majority of people have stuck know how it

all works. Not all same way, I don't know the trend, how the

transmission works in my car, I just assume that somebody does.

And I think that that's part of our business case, and that's

part of our community obligations as we move forward.

And, you know, this is a heady time, there's a lot of money to

be made, there's a lot of benefits to be had. And it's a

bit like a new frontier, you know, we want to rush out there

and get a plot of land, you know, and put a stake in it, you

know, and I think that we need to be very mindful of that.

Absolutely. Just imagine we go out there and

be buy these smart devices to install at our homes, we get

excited about the product, we get excited about the benefits.

But are we also thinking about the security aspects, the

security implications, that level of awareness, I don't

believe is there and you know, it's not even a fair expectation

that it should be there. And that's where the education has

to be more widespread. You know, I'm big on making cybersecurity

part of the core curriculum. So you know, anybody who's

graduating from college with an undergraduate degree, at least

has had one course on security because you want to change the

mindset. You want to ensure people are constantly thinking

about the security implications because if that's not happening,

and if people still are a very important part of the process,

they're unlikely to achieve the due diligence that you talk

about. Because it has to, it has to feature not only in the

mindset of the senior leadership, but across all

levels of the organizational hierarchy.

And may I, just quickly on that point, which is

extremely relevant, I would extend that education out to the

executives, to board executives, you and I have grown up in a

time when we both heard the words well, you know, that's,

that's the chief executive for this, and they don't know

anything about technology, or that's not their problem. Well,

I don't think that it's no longer a sustainable argument.

They certainly understand how e commerce works. They certainly

how their supply chain works, how transport and logistics

work, or they may not be truck drivers. I think it's a it's a

poor excuse. And I think it's it's imperative that

cybersecurity courses at the appropriate level, be at

business risk be assigned, risk exposures conducted in a way

that's applicable to the audience, of course, but it

needs to be brought to the to the board level to the executive

level. That argument of well, I don't know much, much about

security, that's not my area. I don't think that floats anymore.

I mean, that they aren't you know, executives need to

understand price to market ratios, they need to understand

the share market, they need to understand, you know, the the

aspects of business administration. I think

cybersecurity and its obviously its financial and regulatory and

other requirements, it again puts it clearly a module on the

on the curriculum, I would say, albeit a small one, but it

certainly I think has has a place.

I couldn't agree with you more, in fact,

many years ago, and I was having this discussion with the senior

executive of a large organization who said, Dave I

don't have time for cybersecurity, I have to run

billion dollar operation, that security has to be handled by

the Department. And so I told him, I said, you know, I get it,

that it's you don't have to be that doesn't have to be your

focus. But you have to provide the support, provide the

commitment, because at the end of the day, if that security

fails, the implications can be severe. Now, if I were to have

the same conversation with him today, I promise you, he would

be saying something different. But it's taken a while for even

the leadership to recognize how significant and how critical

information security competency is, it often takes,

unfortunately, takes government mandates it takes legislation to

get the organizational commitment, that is the

necessory. And whichever way it is, the sooner it happens, the

better. And as you and I know, the tone has to be set at the

top, if there's Yes.

And if we take that. And if we take that,

logically, back and forward, as we've been conducting this

conversation, governments are legislating to the point where

they're requiring that critical infrastructure executives to do

something about situational awareness they need it's part of

a defense strategy now. And governments are clearly saying

if you're not educating yourself, and if you're not

doing that, which is required, we will come in through some

sort of regulatory means and do it for you now that that that

sets off the bells in the beltway in the boardroom,

because nobody wants to regulate it coming around and talking

about what you're doing, or you're not doing. So. So to your

point, the initial conversation was it's not my business. That's

the that's the security department. The follow up

conversation is, I am being made accountable. And these are

intelligent people we're talking about, they do what they do very

well. And when they understand that accountability is

associated with their actions, then then the mind shift

changes. But until we, we start through education legislation,

to apportion responsibility, there'll be a slow trend coming.

Very true. And you know what, what worries

me is, unfortunately, we we have a proven track record of being

reactive, catastrophes have to happen before we get all serious

about it and do things. We are right now going through this

pandemic, without trying, trying to put blame on any

organization, it is still my conjecture that we should have

been better prepared, given the investments we had in place, the

resources we had in place, but we were unfortunately caught

napping And we were reactive. And I worry that through

breaches, we could have even more severe catastrophe. And I

hope that never happens. So we can't afford to be reactive, I

hope, whether it's the government, whether it's the

private sector, they truly form this partnership, this global

network, and they approach cybersecurity as one global

team, as opposed to taking a isolated, regional national

approach. I think cybersecurity is such a challenge that has to

be addressed holistically with all the key players coming

together banding together. And that leads to the next

discussion I want to have with you is about the IoT Security

Institute that you run. And it comes to mind because of the

global nature of the organization and how it

encourages partnerships. And I believe that we need more of

that. Can you speak to the Institute its offerings, its

benefits?

Yes. And it's, it moves nicely from it, we move

nicely into it from your previous statement in that part

of the smart technology sector is that we work with so many

different people, cyber professionals originally and to

generalize somewhat, worked within the IT groups, they had a

perimeter. And they ensured that the outside was out in the

inside was in with smart technologies, IoT critical

infrastructure, we see more and more cybersecurity professionals

working with urban planners, engineers, industry leaders and

then an array of transport and other essential services

sectors. So the the IoT really came about because we did

research and we looked at there was no shortage of documentation

or white papers that said, Oh, look at these are all the issues

you need to be mindful of. So we we, as an institute, we started

looking at a means by which that we could come up with a with a

with a framework or effectively a guideline that would provide a

cyber and privacy principles to professionals that could be

implemented from a base build through to build completion. So

in other words, it's a way of establishing a comprehensive set

of guidelines to help to help each of the supply chain

participants to specify, procure, install, integrate, and

maintain IoT security within smart technology ecosystems.

Now, that's a big statement. And but But what it's saying is,

there's, it's there's a lot that happens in a Smart Security IoT

environment. So we we wrote a framework through through global

global contributions. And we utilize aspects of NIST and

Carnegie Mellon. And we put together a workflow methodology

with that allowed for cyber professionals to step through a

series of domains. Now all of this is available freely to

download by the IoT security Institute website. And I

encourage people who are interested to do so. And it has

a series of let's call them domains or actors with

associated activities that ensure all of those aspects of

security by design, are factored into the process and considered.

Now, it's not a standard that stipulates you will do it this

way. It is very much consultative in nature, because

we're mindful that a white paper is a white paper. But a person

tasked with doing a job within an organization needs to have a

methodology by which to work through and engage. So the

framework is very much that, it identifies areas of concern, it

qualifies them, it provides action plans. It's all done by a

facilitation guide, which ultimately ends up in a final

report. So what does that all mean. It it says at the end of

the process, this is where we are; there. this is what we we

want to be. And these are all of the security and privacy aspects

that we've had to take onboard. Now, I won't go into elaboration

as I said, it's freely downloadable. But two of the

components that are there might be privacy, that might be one

looking at the privacy experts on it. We also have a domain

that covers Building Information Modeling, Building Information

Modeling takes into account the relationships that organizations

have with third parties and providers. So if you are looking

at a particularly critical infrastructure that relies on a

third party, what are the security controls, information

flows all the security components in that; it is

pointless you having a moat and a 50 foot wall around your

organization, when you're buying blueprints for an Hvac system,

or some other aspect or some sort of design principle from a

third party that's working out of a shared office. I mean, we

know where the criminals are going to go first, right. So

that's, that's, I mean, a little bit off track there. But But

what I'm saying is that that's an example of the process. So it

may not be applicable in your instance. But that may be

applicable in someone else's. And finally. And finally, it

even works with other standards. So it's not exclusive. If you

wish to utilize the framework and incorporate other aspects of

standards that may be applicable to your organization, you're

certainly capable to do so. But I think finally, that the whole

point is to provide a a guideline, a methodology

workflow, that allows cyber professionals to work through a

series of challenges, let's say.

Appreciate that ,thanks. But as I think

about frameworks, and there are several of them out there, I

think you put it rather well, that frameworks are not meant to

be followed blindly. They are meant to be contextualized. They

are meant to be looked at, from the perspective of the

organization, the organization culture, they need to be

compared with other frameworks. But it definitely offers an

excellent starting point, a checklist, a baseline to help

organizations kind of shore up their defenses. You know, you

mentioned about about vendors, buying Hvac devices from

vendors, one of the breaches that come to mind is the Target

breach. And the hackers were able to get in by compromising

one of the the one of one of Target's business partners. And

that's what's what's making our environment so difficult to

secure. Because you're no longer talking about an individual

organization, we're talking about the organization and its

network of partners, the supply chain. And, and so therefore,

unless every organization has the right security posture, it's

going to be a challenge, because there's always going to be

vulnerabilities, you know, this. Today we're talking about

vulnerabilities associated with IoT devices. I've had several

conversations about vulnerabilities where people are

the focus, but people are also part of this buying process of

IoT devices, people are part of the implementation process of

the IoT devices. So just like you said earlier, you just can't

focus on the technology, you have to focus on the other

aspects, the governance aspects, the people the process.

Exactly right. And you make a very good point here.

Numerous examples come to mind, a transport company moving

refrigerated content around the country is escaping,

temperatures are being commuted routes are being committed,

communicated and and beyond the company's control. I mean,

that's the solution. That's the that's the how they operate. But

third parties who who potentially support those IoT

devices who who manage and so forth, how secure are they

because if they're compromised, and it's, it's unknown for a

period of time, it's a direct impact upon the company. I mean,

if things are not going right, in that context, if you look at

sustainability within buildings, lighting is a very costly aspect

of doing business. That that is a very critical area that that

touches the bottom line, again, dependency against third parties

potentially, who are supporting that in some shape or form. So

So when when conducting if we were to look at the framework,

we would say, there's a very strong, you know, there's an IoT

device checklist Incorporated. Within that that comes to points

we spoke earlier. But there's also a whole lot of other

security practices, there might be IP involved. And I just like

to touch on this if I have a minute. I see that, you know, as

we have buildings that are certified for fire and water

damage, I envisage that in the near future, we will have

buildings that are certified for cybersecurity. And people say,

Well, why is that? Because remember, IP is one of the

greatest things you're going to have. And if that stolen from

you, then then you potentially lose your business, your

organization goes down. So you could spend millions of millions

of dollars in r&d to come up with something which is

innovative and progressive, have it stolen rebadged and sold at

1/5 of the cost because that organization that stole it, or

perhaps the the organizational crime unit that stole it and

moved it on, didn't have any of the r&d costs. So when we are

talking about this, we're not we're talking about so many

levels of interaction. So when I say the cyber safe building, if

you were to take an office, in some building in downtown,

today, you probably wouldn't think about you think, Oh, I've

got, you know, good encryption or good HTTP. But there are all

the aspects of a smart building that play into that into

interconnected world that needs to be factored into your

decision. And how are you going to factor that into your

decision. Organizations or corporation buildings or

precincts are going to smart certify their building to a

certain rating, so that certain companies will feel comfortable

doing business within that, within that, within that

building? So this thing just keeps unfolding Dave, it depends

how you want to look at it, but again, it's another

consideration of cybersecurity, as you said, as everyone's

concern, but it impacts us on so many levels, that, potentially,

we're not considering as much as we should.

And, you know, that's precisely why I'm

also very big on cybersecurity drills. We have fire drills,

that's very popular. But I'm not sure we have information

security drills at that level or at that scale. And I think,

whether it's implementing smart devices, whether it's expanding

your smart supply chain, you have to constantly test to

assess where the vulnerabilities are, again, easier said than

done. Many organizations do tabletop exercises, I'd say

something is better than nothing. But it has to be part

of the organizational consciousness, it has to be part

of the organizational governance, infrastructure

governance design, where there has to be constant testing, you

know, you cannot again, leave things to chance, like you said,

we will be adopting these smart devices, there's no going back,

we will enable our supply chains, there's no going back.

But we have to have that security layer in place. And we

have to constantly test to assure we have the level of

robustness that we desire. So so this has been a fabulous

discussion, I'd like to give you the opportunity to close it out

with some key messages for our listeners, as you know, our

listeners range from business leaders, cybersecurity

professionals, students, teachers, so you have a lot of

people to potentially influence here. Well, I'd like

to sort of break it down on a couple of things

that were involved with, obviously, the first is the free

download of the IoT OSI framework. Now that can be as I

said, freely downloaded and applied and dissected as as

individuals or organizations see fit. Part of what we did though,

was you know very much with an understanding of how the real

world works, is that part of the IoT OSI is also a Education Lab

or the educational initiative, then, which is the SSP campus.

Now, the SSP campus provides cyber certification for the next

generation of cyber professional covering a lot of what we

discussed, you know, talking about all of that involvement

and industrial control systems and the convergence of it, you

know, to things we haven't touched on today, but they don't

assure a well known by your audience. So what we do there,

we have a series of certification programs that

provide Yes, the future cyber professional the opportunity to

take all of this onboard and, and take this much sought after

skill set now as obviously, as we progress and receive some,

some very real world training as well as good academic uplift as

to how to apply that. So that's the aspect of of the educational

arm of that. And we also have the opportunity for people to

join the IoT cyber network, and be part of that. So if they wish

to sort of bump heads and exchange ideas, it's certainly

worth it. We're also very much a believer in in supporting up and

coming cyber professionals and, and we also have scholarships

through the SS campus. We've recently entered into a

scholarship with wom see a Latin America, which is an

organization that facilitates inclusion of more women into

cyber and to to make it much more of an inclusive industry

and that we're very, we're very proud to be part of that. We've

also launched a scholarship program for African women and

we're trying to work that through the campus as well. And

finally, without too much going on about things. We also had,

you know, part about involvement. As you know, what

you were talking about is we were working with companies,

organizations that are involved in the very nature of

cybersecurity services and so forth. Our SSP campus provides

authorized training partnerships with these organizations, which

you know, if I give you an example, you know, one of ours

is wellness tech group, which is a leading smart technology

service provider in the public lighting infrastructure and, and

other services and, and their brand. Iris Sentinel is their

cybersecurity unit. And then one of the assists campus authorized

training partners. So the objective there is they take

their cybersecurity suite of services, but they also provide

training and certification, where required are wanted by the

clients so that they leave something behind, so that the

people within the organization have the smart technology, smart

cyber skills. So that's a bit of a round up. But, you know,

welcome everybody to go to the website and get a lot more

information about all of that. And if you have any questions,

of course, you can always reach out through the various traps.

Fantastic, Allen that was great. I'd like

to commend you for running this nonprofit organization, we can

do with all the help the cybersecurity community I mean,

and why the cybersecurity the global community, we could do up

with all the help. And I would encourage the listeners in their

respective capacities to become, but to be more security

conscious, never to leave anything to chance, explore and

leverage the best possible resources out there, constantly

reflect, examine, analyze possibilities, because these

efforts are all well worth it. Because if we don't do that, the

consequences can be very, very undesirable. So once again,

thanks for talking to my listeners talking to me. It's

been a pleasure, Alan, and hope to bring you back again

sometime.

Thank you very much, Dave. It's been a

pleasure. I thoroughly enjoyed it.

A special thanks to Alan Mihalic for his

time and insights. If you like what you heard, please leave the

podcast a rating and share it with your network. Also

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.