Join us for a discussion on securing your devices as IoT becomes a foundational component of Smart Cities moving forward.
Speaker 1: On behalf of Tenable, Waterfall and Carahsoft, we would like to welcome you to today’s podcast focused around Smart Cites: IoT Security, where David Graham Chief Innovation Officer in Carlsbad, CA, Mike Cannon, Chief Technology Officer in Stafford County, VA, Mike Firstenberg, Director of Industrial Security at Waterfall Security Solutions, Michael Rothschild, Senior Director of OT Solutions at Tenable, and Nikhil Gupta, Core Cyber Sales Engineer Team Lead at Carahsoft, will discuss securing your devices as IoT becomes a foundational component of Smart Cities moving forward.
Nikhil Gupta: Welcome, everyone. Thank you. We definitely have a good session, we have a lot of experts. I'm the Carah expert, I guess resident in house. But the ones that we're having on the on the call today, I'm about to introduce them. All of our panelists. They're the real experts here. I'm very, you know, honored to be here and kind of moderating a session between them, we're getting going to get good perspectives from both sides, we're going to get some, we have a couple of people from Tenable and Waterfall security solutions, our sponsors for the event. And then we also have some representatives from municipal governments and in different counties in the US. So good perspective to get both, you know, we can get our vendor perspective and then as well as the actual government employees perspective, right, some things we're working on so. So without further ado, let me introduce all of our speakers for today. The panel that we have, these guys have very, very long and very established pedigrees. So it's amazing how much these guys have done. So we're going to start out with you, David. David Graham is the CIO for Carlsbad, California. He is a veteran local government leader. He's worked for the county of San Diego, the city of San Diego and private sector public affairs. Right now, as I mentioned, he is the Chief Innovation Officer for the City of Carlsbad, in the first position of its kind in the San Diego region. He's covering all the Illinois electric car share fleet in North America. He's an open data platform for development permitting and the largest municipal leader for Internet of Things platforms, he is using smart streetlights. You know, he is one of the first and one of the largest municipal areas and leaders that are that are have this in his environment in North America. David is also a board member of St. Clair clean tech San Diego, a board member of scale, and a founding member of natural lab network. He serves as the national and regional leader in smart and sustainable communities. He also co-chairs the Civic innovation executive chair program in the technology Entrepreneurship Center at Harvard. And as a co-chair of the UC San Diego civic leadership council for the School of Global policy and strategy. David is instrumental in bringing public sector insights to academic programs. He's also the co-chair of the San Diego Smart cities Alliance. And he is definitely a recognized leader in a regular conference speaker nationally, internationally. I'm happy and I'm pleased to kind of have him on. Well, the panelists today. So David, thank you for joining us. So some for next after David. So we're going to introduce Michael Rothschild. So Michael, he's the Senior Director of OT solutions at Tenable, he's been in the industry for over 20 years. He has 20 years of security experience in the OT space. Right now. Obviously, he's been at Tenable for a little while now. He has been a Professor of Marketing before he has published several works on the topic. And he also currently occupies an advisory board seat at Rutgers, Ithaca College. He is also a very good expert in this space and has had a lot of conversations and kind of good talks internationally, internationally as well. So, Michael, thank you for being here. And being a part of the panel as to for not to confuse everyone. So we have a lot of as you guys might see we have a lot of mics. Michael's on the line today as part of our panelists. So Michael Rothschild was the first one I just introduced. Going to be introducing now. The first Mike, Mike Firstenberg. He is the director of industrial security of Waterfall Security Solutions Mike, he brings over two decades of experience and control security. I specialize in system cybersecurity. He's also the former chair of the American waterscape Council, and he studied computer science, chemical engineering and mathematics at the University of Pennsylvania. He's actively participating in ISC which is a member of the ICSJWG industrial steering team and serves on committees that have created industrial cybersecurity guidelines and roadmaps in many sectors. Mike Firstenberg or the first mic for today. Thank you for being here and being part of the panel as a pleasure. And then last but not least the second mic for today. Mike Cannon Chief Technology Officer also so this is another you know leader in the in the government space for Stafford County, Virginia. Mike has over 30 years of it experience. He's served since 2016 as CTO or Chief Technology Officer for Stafford County. He manages a staff of about 20 people in about a budget of 3 million. He's focused on and has been focused on broadband expansion throughout the county for the pandemic and building the first of its kind Smart City testbed for the Commonwealth located in Stafford. We're gonna ask him about that later. Just a little heads up for you guys. It also utilizes smart bid technology in a variety of IoT devices to demonstrate and validate a very variety of use cases, focused on public sector, safety, the environment and quality of life. He's also the CIO for the International City County Management Association, from 2013 to 2015, a nonprofit organization that actually serves over 10,000 members in local government management. Prior to this job, he's served as was the ice, the Chief Information Officer CIO for the city of Rockville, Maryland. That's a place near and dear to my heart. I grew up next to Rockville and Maryland. So I appreciate that Mike, he developed and implemented to strategy strategic, it plans there and was responsible for building the city's first institutional network of fiber connecting the city's facilities. And then he's done a number of consulting engagement engagements for the city and county over the past two decades continues to do so for Rockville. And then he's always the program chair of society of Information Management Capital Area chapter for a lot of the sea level tech execs in that area, too. And then he holds a bachelor's degree in economics from Birmingham Young University and a master's degree in business administration, from the University Of Maryland Smith School Of Business. So Mike Cannon, thanks. Well, the second mic for today. Thank you. And it's a pleasure to have you on the panel too. So. So with that, everyone, that is the panelists for today. A little bit of an intro for you guys. Obviously, we want to get into the contents, let's go ahead and you know, kind of go right into it. So first question, everyone. And you know, again, thank you for everyone being here, audience and as well as the panelists. This first question is going to go to David, David Graham, you're obviously as a CIO for Carlsbad, California. I wanted to ask your opinion, to start us off about IoT security, this notion of IoT security, right, wanted us kind of start off our discussion today, looking into, you know, obviously, we when we think of IoT security, we're thinking of technology, we're thinking of tools, we're thinking of, you know, getting, you know, best in breed products or cybersecurity solutions, right. And, of course, that's a component. But I want to start off the conversation today looking at like the people and policies around IoT security. Talk to me about that, and how kind of IoT security is not just adding another tool, but it's also dealing with in kind of improving upon a lot of the experts and the policies we built in the IoT space for so many years already.
David Graham: Thank you so much for the question. And I'm very interested to hear from all of our panelists through this appreciate Carahsoft pulling us all together, because, you know, IoT, or people even say IoT Internet of Everything is something that has been a very hot topic. But I like to think about the fact that we go back to a lot of fundamental principles regarding the deployment of it and just general network cybersecurity. Sure, we're focusing on the devices we're focusing in on things like smart streetlights, smart water meters, we're thinking about the fact that you can deploy these sorts of things, whether it's traffic management, mobility, parking, there's so many different ways that you can use connected devices to support the big goals that our communities have and improve the lives for everyone. And certainly, we see really scary type doomsday scenarios of what happens if hackers get ahold of the water system and begin poisoning people, stuff straight out of the movies, right? And well, those are possible. Fundamentally, when we look at the types of issues that we're facing, it really comes back to some fundamental things that matter and in it, and IT security, which first and foremost is networks and network security. I think that while you may be concerned about the devices on the edge and making sure that they're secure, we have much greater vulnerabilities in our connectivity in our networks, oftentimes too many networks, not upgraded applications that aren't patched and more importantly, people that aren't patched. And I joke about that because, frankly, the biggest weakness we have in our entire cybersecurity scheme are the workers and contractors and the folks that are connected to our network, you know, clicking on that link, bringing that dirty thumb drive. Those are the sorts of vulnerabilities that I think not before focusing on the IoT security, but as much effort and resources need to be put into your overall approach to security for all of your systems. And IoT is just another part of that. You can have the most secure devices and if the rest of the network and the people operating it and the people using it are not appropriately trained haven't are not updated and don't know their role in this and Then the most secure devices in the world aren't going to save you from something disastrous because we still see even though those doomsday scenarios of someone taking over your traffic signals and causing accidents are interesting to ruminate about, the most likely scenario is going to be a normal ransomware attack, locking up your ability to access data, your ability to operate certain things. Because ultimately, the vast majority of the folks that are intended to do nefarious things with your network just want to get paid. And however that can happen is what they're going to focus on. So people policy programs, and overall cyber health, cyber security, cyber hygiene should be your first focus. And I will tell you that when it comes to the devices themselves, partnering not just on the acquisition of the devices, but the ongoing operations, the security associated with them. And really partnering with those vendors on the outcomes is going to be your best way of ensuring that the needs of the public are met, that what the community cares about is being met. And that you can have the best cyber posture possible when deploying these exciting new opportunities, devices and ability, really to improve the lives of the people that we serve.
Nikhil Gupta: Perfect. Thanks, David. And for that, and I love that you commented, of course, and you just mentioned the doomsday scenarios. But then, of course, just mentioning, you know, as we saw, ransomware, right ransomware can escalate in can kind of hit our IoT networks just by hitting the main it network, right. And it can kind of traverse and in the same issues that are causing some of the attacks today can obviously plague us for the IoT. What we can do then go to the next question, David, as you know, well said there, this is a kind of a similar question, I guess, another one directed to you as a follow up to the last one. So talk to me a little bit about public engagement when it comes to IoT security, right? Obviously, we have PII to protect, right, we have personal information that the customers are some of our, you know, citizens within our cities have to manage and, and obviously, there's large ramifications for that data to come out and being stolen. But then at the same time, you know, we do have to collect some of that data, right, to better use our IoT and to better do security. So how do you juggle both sides, looking to secure important information, but then also leveraging it? And, you know, that whole aspect of data privacy that, you know, everyone's talking about, that's obviously a big concern these days? So, you know, how do we how do we take IoT ease and kind of protect, and do ensure data privacy from a security perspective?
David Graham: Well, fortunately, in this particular case, you know, the technology really has solved a lot of these issues, because you're doing a lot of edge computing, and you're only really transmitting what is necessary, the bits and bytes that are necessary for the analytics or to drive whatever solution that you have. And in that way, by setting things to delete by not retaining things, like video and those sorts of images, and really just transmit the analytics, one, you're reducing your cost of connectivity, which is allowing for things like using cellular networks for some of this, but really a lot of edge computing is going to be one of your best ways of doing that. And then second, having strong policies around retention. Now here is where depending upon what state that you're in, you may be a little bit behind the curve, because we think about document retention as paper documents and those sorts of things. And many of the policies regarding retaining documents for public records, Act requests and the like, really have kind of a paper based perspective to them. But I think in many ways, we are have found that you really don't need to collect our keep for a long period of time sensitive PII. In most of the scenarios, unless you're talking about public safety scenarios, you know, you're talking about parking management, traffic and mobility, water meter reading, you don't even need to be collecting and analyzing PII you can do even if you're doing no video analytics, a lot of that can happen at the device on the edge, and then you're only transmitting what is necessary to drive whatever it is that you're doing. Now, when you're talking about public safety systems, public security systems, recording video retaining that video for things like, you know, law enforcement and investigations, that's going to be a little bit different. But there again, we have a long history of how to deal with things like public safety cameras, systems, I mean, shoot, the City of London has one basically CCTV camera in the city for every three citizens. For every three residents in London, there is a camera. So we've dealt with this situation before. It really comes down to making sure that the public has appropriate expectations as to what's occurring, the end of the standard rationale, the reason why and that you're setting your policies really to when that data is no longer required to be retained or needed, that is being deleted. It's being dumped and really thinking through on the front end in your deployment, do you actually need to be retaining that PII to accomplish the goals that you have in the first place? And I would argue with everything that I've seen most of the time, you don't.
Mike Firstenberg: So I'd like to jump in here as well. Because the focus of the question on PII and protecting the data, David's answer delves into that in depth with the bits and bytes, document retention policies. And we have to remember, and we've learned this lesson in other realms, that in this realm, it's not just data that we're protecting, it's familiar, we've been working with data for decades. So we, we do tend to gravitate to it. But it's also a cyber physical system in many ways. So we do have to be prepared for the security of the physical world as a result of what we're doing in the cyber world. David started alluded to that in his previous answer, talking about the networks, and, and the technology used to enforce what the people define as the security. So I want to make sure that we're taking a holistic view of what is security and not focusing solely on the data.
Nikhil Gupta: Good point there, Mike. And just to piggyback off of that a little bit, and you mentioned, you know, it's is a physical system. Right. And, and we've heard that we've seen this, right, like we've seen, you know, to some extent the colonial gas pipeline attack, we've seen instances of systems being turned off ransomware, you know, encrypting cities and all whole networks, for example, you know, one of the ones I studied back in 2018, the city of Atlanta, they have their utility districts in their utility, basically, portals encrypted and shut down so that no one could log in, and no one can pay their water bill, right. Those Doomsday things, but, you know, at the same time, so to kind of piggyback on what you just mentioned, you talked about, obviously, physical systems, protecting them. Talk to me a little bit about like, you know, some of the attacks, we've seen ransomware. And, you know, how is it affecting, you know, what, in the case of oil and gas pipeline, and you shed some light there, but just curious to hear your thoughts on that.
Mike Firstenberg: So I was wondering how long it would take for somebody to say the words colonial pipeline, made, its 2021, they've had just to be clear, I want to I want to make absolutely certain, I do not speak for colonial pipeline, I have not associated with them. They're not a customer. Anything I will say about colonial, is from the public space, I also do want to clarify, when we're looking at cyber physical systems, the fact that people can't pay their water bill is not a doomsday scenario, the water utility, well, we'll build on it tomorrow, as long as we keep the water pumping to them on demand of certain quality today, that's what's important. And that, that goes back to the networks that David was talking about, at the at the start of this when we've got to know what our networks are, and make sure that we're that we're focused on the protection in real time of our systems that that matter at the lowest levels. You know, the fact is, if it if we've got that conductivity, if we haven't been managing the conductivity, or we haven't been documenting the conductivity appropriately, we may have to shut down out of an abundance of caution, which is now the key phrase for 2021 was shut down. Now, an abundance of caution had to do that if there was conductivity, or there was dependencies on resources, from the critical network, to an internet accessible network. And that's really what it comes down to is, we've got to, we've got to make sure that we understand what we can separate so that when the ransomware does hit that billing system, when the ransomware does hit the administrative computers in the municipality, while the MUA computers used for the treatment and distribution of water and wastewater systems annotation. They keep working because we've done our homework. And we've implemented proper security solutions to enforce the policies that the people want, as David alluded to earlier.
Nikhil Gupta: Good point there, Mike, and thanks for that answer. And as you mentioned, of course, right, having the solutions, looking at all the increasing breaches, it all comes down, as David mentioned, right to in the beginning policy and technology, right. And at the end of the day having tools to enforce that policy. Right. So yeah, as you mentioned, good point there. So to kind of switch topics a little bit, obviously, you know, Mike, I wanted to he wanted to hear from you too. You know, as I've As the CTO for Stafford County, I've heard a lot of talk about this testbed, this smart testbed. Talk to me a little bit about that curious, I'm curious to learn about that initiative. And you know how you're using it from an IoT security perspective.
Mike Cannon: First of all, thank you for putting me on your panel, it's honor to be part of it. And with all these distinguished presenters, so, so the Smart City, or actually, it's the Virginia smart community test, that is the first of its kind in the Commonwealth of Virginia, it was a partnership with Stafford County, and the Center for innovative technologies, which is the Commonwealth of Virginia is nonprofit arm. So it's essentially an extension of the state that largely funded this. So we've housed it literally to my left, and the image behind me. And what it basically is, is a place where companies can bring certain IoT use cases around Smart cities and smart technologies to test and validate and hopefully bring into production as well. We are about to embark on building a downtown Stafford, we want to make it smart. It's a Greenfield development. So we have an opportunity to start from the ground up, now start from the dirt on up and not have to retrofit anything. So we look at as a real opportunity. And I think some of the participants in our testbed also do and that's why they're interested, because not only can they test validate, but they could literally bring it across the street to our new downtown that we're building. The types of use cases are really focused around public safety, and also in the environment. We have 15 flood sensors we've deployed, we also have smoke sensors that are picking up signatures of forest fires and other type of particulate matter across the nation, including the forest fires out west, we're able to pick those up. And those are, you know, through a homeland security grant that CIT center for innovative technologies received that kind of extends onto lots, we also have doing a lot which rounds pan up partnerships we have with horizon product they have called skyward, which provides a dashboard with situational awareness of drone activity. So you can literally have a drone operator that can make the image that there's a video that they're saying available in a cloud environment for others. So in a public safety environment, that means you can have the 911 Center being able to view the drone footage as well as other officers in the field. And it works, you know, obviously for fire and rescue as well. And the nice thing is it also provides telemetry data, a breadcrumb map, the trail, the premise time over and all that can be recorded and kept for evidence purposes. So really powerful tool that Brian is developing, you know, and is an active participant in our testbed, we also have other things like indoor 3d imaging, we're doing also on the Smart Lighting project with a company called Signify. It's a division of Philips Lighting out of other ones, and then looking also to do some things with smart health in the near future to with smart hospitals and telemedicine. And so the way the testbed functions is not, and we also use it as a place for entrepreneurs and others to visit and learn about these technologies and what we're doing. One of the very first use cases we did, which we wanted to demonstrate the security of all these devices, as the other panelists have mentioned, you know, IoT security is paramount for any kind of successful smart city or utility operations. And with IoT devices, even if you were to just slow them down or speed them up, you can wreak havoc, as we learned with Stuxnet, or other types of attacks that potentially could happen in the water treatment world, you know, the Florida example is a great one. And if you can affect the map chlorine going into a water supply, you can literally kill 1000s of people very quickly. That's all bad. It's significant the risk has. So the use case we launched was one based on Zero Trust platform. And if you can separate your network using cryptography, you can really make things infinitely more secure. We had a partnership with a company called enclave that has a blockchain based IoT security platform. It provides a way with these administrator console and orchestrator consoles to essentially create a bridge for IoT devices to reside in a secure network environment.
Nikhil Gupta: Yeah perfect, Mike. Definitely for that testbed. I think it's pretty cool. And, you know, you Mike, and of course, our leaders, you know, we have both sides, right. So we have people working at Tenable and Waterfall security on the security side, we have, you know, the actual technology testbed that you're working on Michael cannon and basically it's interesting because you guys are working on some of the, you know, the future technologies that I hear about, right that we hear about stuff of comic books kind of thing, right. I think it's pretty cool to see some of the things and projects that you guys have, you know, I know the next I'm driving through Stafford and you know, I'll definitely think about it, right. On my end and some of the things you're working on. I think it's cool. And the technology is cool. Right? And this is why I guess IoT has exploded, of course, right. So recently, which, you know, as Mike and we're going to get to you, Michael, as well, Michael Rothschild, what that brings security challenges, right, and we'll have to talk about that. But it is, from your perspective. Michael Cannon, it's definitely interesting to see, you know, some of the projects and some of the test beds. And you know, as you mentioned, using some drone footage for police forensics and stuff like that, right. Like, those kind of possibilities are pretty cool. And I think we just have to take good care to make sure security is in place too. Right, so.
Mike Cannon: And one of the things we're also doing just briefly as I'm extending it to 5G too, so we have rising 5G Tower, right outside our testbed plus one inside, when you can start getting speeds of like 3.2 gig on a cell phone, it opens up a whole lot of possibilities of things you can do.
Nikhil Gupta: Yeah, I'm sure as a consumer’s perspective, right, watching that video so much quicker, no one buffering I but obviously, there's actual real life use cases there, too. So to go off from that a little bit, I wanted to bring this next question for you, Michael. Mike Rothschild, so obviously gonna say the last names to make it clear, obviously wanted to kind of get you in the discussion as well, as a leader for Tenable. Of course, you know, I know, IoT. And we talked a little bit about it just now you've been talking about IoT devices. By definition, there's something of an IP address, right? We've heard a lot of talk about people saying, well, why can't we just use traditional security? Why can't we just use firewalls, antivirus intrusion prevention, right, anything's that we've been working with, you know, traditional IT systems and your desktop laptops will not work and not safe got our smart city. What's the challenge here? Why is what makes IoT I guess, so much different?
Michael Rothschild: So IoT technology is extremely interesting in that it provides just so much in terms of efficiency, cost, efficiency, effectiveness of things, just to use one example, you know, the Alaskan pipeline, you know, there used to be people that actually went out and check that it was still flowing, what the viscosity was, what the temperature was that somebody didn't go out and shoot a hole in it. Today, all of those things can be monitored by the industrial Internet of Things, or IoT. So it's not, you know, your Strava watch or something else like that. That's loading up stuff. But it's actually stuff that's put in an industrial environment. Smart cities is a perfect example. We call that the OT environment. And really, within a smart city, within anything industrial, anything critical infrastructure, we talked already about water, we talked about pipelines, adding something with an IP address, allows it essentially opens up an additional attack factor, doesn't mean we shouldn't do it, it just means we have to provide the appropriate security. And when we look at OT environments as compared to it environments, OT environments, up until 20 years ago, were air gapped, there was nothing that came in, there was nothing that went out. And over the course of time, for some very good reasons, there has been a convergence of IT no T some industry, some customers more than others. But there are openings to the Internet, and IoT, the industrial Internet of Things is one of those openings. OT does operate in a very different environments. Some cases, somebody explained to me once that it's like kind of like it of the 1980s. In terms of maturity, from a security perspective, there are things you can do in an IT environment, that is fine. You can do port scans, you can look for things that are open all this other stuff, and an OT environment, OT environments don't lend themselves to do scanning that the actual network will fall over the PLC or DCs or whatever else have you that run things like Smart cities will actually not work. So you do need different security. That's not to say that it security is important. We have IoT devices in an OT environment, things like HMIs, which is the human interface for the PLC, or the programmable logic controller, there's a lot of IoT devices in an OT environment. But we also have to safeguard our OT things, things like programmable logic controllers, DCs is these types of things. And they do require a slightly different way of doing security. Same concept, we're still looking at policy anomaly signature, we're looking at devices, but they have to be done a little bit differently in order to maintain the integrity of that crucial system.
Nikhil Gupta: Perfect. Yeah, Michael. And that's what that's what I've seen on my end, too, of course, with just some of the tools that I've worked with and some of the users right, legacy systems, right? It's always gonna be something that plagues OT environment, legacy, right? Like, it's hard to patch, it's hard to update. It's something that, you know, we can change our computer every couple years, every two or three years. We can patch it, tried doing the same with like a, you know, a dam controller, a highway monitoring system or, you know, assembly line, you know, whatever, you know, energy grid, sensors, you know, those are all kind of They run on proprietary legacy protocols, operating systems, it's you have to purchase, it's expensive to replace. Right. So definitely I'm hearing that as well. And I'm happy you commented, of course on that. Mike, I think I see you wanted to add something.
Mike Firstenberg: That was put there to last 20 years, 30 years, it's only legacy because you're used to three to five years in the IP accounting space. You got to adjust your timeframe.
Nikhil Gupta: Good point there. Yeah, definitely, you know, and I guess it's part of the whole, the spoil generation to you, I get an iPhone every new year. Right. So there's definitely a difference between space so Okay, so yeah, Michael, thank you so much for that. Michael Rothschild, sorry, gotta say the last names here. To continue off of that, I wanted to change a little bit of topics. So obviously, we talked about some security, we talked about some of the, you know, the characteristics of OT IoT. And what I wanted to get into kind of partners and working with partners and kind of this. David mentioned this in the beginning that, hey, it's a relationship, right? You know, us the municipal leaders need a partner and have a relationship with, you know, some of the providers out there that whether that be for technology, whether that be for security, but that partnership is what over time is going to get through some of these challenges. So I guess, you know, Mike, will go to you. And of course, Michael Rothschild, if you want to chime in too, because you guys are both on the partner side, and the vendor side, but as a representative from a vendor, Mike, how are you working with other partners to help address budget concerns? When IoT security always obviously, budgets, always something, you know, we don't want to overlook security. But at the same time, you know, you want to have that relationship? What are some of the things that you've seen? Or some of the ways that you were, you know, you've partnered others or partnered with some of the cities?
Mike Firstenberg: It's a great question. The fact is, there's a lot of vendors out there who are going to come in, I'm selling you this secure widget, I'm selling you that secure thing, I'm going to make you secure with the thing that I sell or the service that I sell. And it's kind of a meaningless statement, because there actually is no such thing as security, you can be more secure than you are today. Or, you know, you could be less secure than you are today. But can you actually be secure? Can you make that IP connected device that Michael was alluding to? Can you make that secure? Well, it's if it's IP, and it's got a connection to the Internet, bi directional or remote access? Well, it's a ransomware. Target, it's a target of opportunity. You know, it's just something that could be found out there and take on whatever is floating about, that's happening more often than we hear about just from the folks that we work with that at various infrastructure owners. So that in terms of budget, I always caution people against talking about a security budget, because the security, like I said earlier, it's really subjective. First of all, you as the asset owner have to define security, if you're looking to me as the vendor to tell you what security is why we got a problem from the stuff, I would couch it as risk. And I haven't always been a vendor for 15 years prior, I was an asset owner and getting budget for securities tough, getting budget for operational risk reduction or risk avoidance, that's a significantly easier challenge, because now I'm talking in business terms that that can be understood by the folks who control the dollars and cents that are going to be allocated to my budget. So yeah, we work with folks. We're a technology company, we sell technology. But you know, we're happy to work with folks on how to get that money for that budget to do what they need to do to reduce the risk for their systems. I won't go into it in depth, but you know, I've given plenty of presentations on how much is enough when it comes to cybersecurity because it's always possible to spend more. How do you know when you spend enough?
Michael Rothschild: And I think, dovetailing off that, you know, one of the important things is that every organization, I spent a lot on security, firewall, IDs, VPN, you know, you name it, they've had it. One of the most important things that I think for everybody on this call is to use the investment that you've made. And what that means is, especially when we talk about things like IoT, or IoT technology and belonging to the IT side, going to the OT side, right, it's that lateral creep of an attack. So if you can bring the technologies together and have them work together, that's really important. And just to single out and microsecond, perfect example Tenable and Waterfall works together. So you know, we will check the security on the OT side that goes through the Waterfall firewall and can go to a sore or sim product seamlessly and it can be secured. So when you start to use these things together, what you're actually building is an ecosystem of trust that's really helps you find some of these lateral attacks that can start in one area of the network and easily traverse elsewhere. So use the technology that you have, if you add technology, make sure that they can work together to have that ecosystem of trust.
Nikhil Gupta: Yep, perfect. Thanks, Michael. And I'm like, you know, on my end, I always tell people, we don't want to rip and replace, right? Those are just things that we need to get into budgeting, you get into rip and replace, that's just a conversation you don't want to have, it's just putting you on the wrong foot. Right. So yeah, absolutely. You know, how do we work with the existing tools you do have partner and integrate with them. And then also, of course, partner with yourself a partner with, you know, establish a relationship where we can continue to build, you know, that security solution for your team environment. So thank you guys for that, I guess, to you guys, Michael Cannon and David Graham, do you guys want to add anything on your end, obviously, from the, you know, from the government leader perspective, in the asset holder, anything to add as far as partnerships with vendors, and you know, all that what Michael and Mike just mentioned?
Mike Cannon: Sure, I mean, I could start. So the challenge on local government, as you know, you're making budgets where you have to anticipate 18 to 24 months out, and a lot of cases from the time the budget process starts. So that's how you actually get your money. We're already starting our budget process for next fiscal year, which starts July 1 of 2022. And so I've got to anticipate between now and the end, and then June 30, of 2023. And that's not easy in the world of technology. And with security and the threat landscape constantly changing. It's really, really challenging from a procurement standpoint. And then partnerships are essential. You know, we have some managed services, agreements and apps, and certainly some security monitoring and sock services that we receive. I mean, those are the kinds of things that really help bridge that gap, when you can't necessarily step up, or buy technology out of whim like it would be in a perfect world you'd want to be able to do, and then you know, the testbed is really, really helped us because, for example, the Zero Trust model with enclave is something that we're looking at for our SCADA systems and other things. So I think being a part of some innovative things, has really led to some really great things for us, as a county, and hopefully, something that can be replicated to other communities within the Commonwealth or outside of Virginia.
David Graham: And I really commend Michael Cannon for what they've done with the testbed and having done many different pilots, I think there's a couple of approaches to the partnership with a vendor that can be really useful. The first is pilots are helpful, but I'm more of the opinion of pilot to procurement. So a pilot is just a part of what you're already intending to do on the procurement path. If you just want to deploy something small scale, prove it out, see if it works, and then try to make a decision on whether you're going to adopt that solution, I think you're gonna end up with a much longer timeframe, as opposed to saying, look, we've identified the challenge, we've defined it, we have one, two or three vendors that we want to test out their solution. But one thing that we know for sure is that this is a challenge that we want to solve, that there will be resources behind it. And it's something that meets public goals, political goals, internal goals. So you're not starting to say, Oh, yeah, let's just test out a bunch of different types of technology. If you want to run a testbed, and you have a leadership that believes in that great, that will work. But I think for most cities, it comes down to a very clear definition of the challenge you're trying to solve, bringing in the partners that can help you solve that challenge, piloting, to some extent to see if a solution is the right one to solve that challenge. But the challenge definition and the clear understanding between the vendor vendors and the municipality, that the ultimate goal is solving the challenge, not just trying out a bunch of different types of technology, and that it's one that there will be resources behind that there will be support behind that you're really it's a traffic problem. It is a water quality problem. It is environmental pollution problem, something that there is political will behind and administrative support for pilot all you want. But I think both the vendor needs some certainty that the time and effort that they're going to invest in piloting solutions, hopefully will pay off if their technology works with a larger contract to do X, Y, or Z. And for the community for the city. You have identified something that may transcend let's say changes in city manager leadership or your political leadership because it's something that at its core is important to the community and trust me, you can always find a problem that needs a solution in the city. So that is not so much the problem. The problem is a clear definition of the challenge that both the municipality the vendors etc. can buy into, and then pilot to procurement are some approaches that I've seen and used that have been really useful.
Nikhil Gupta: Thanks for that perspective, David. And you know, it's good to see you know, and kind of, obviously, as you mentioned, pilots, for sure pilot to procurement. I've seen that for sure. And I'm, you know, I think that's something that everyone is doing and are shooting for at least and trying to do so happy that, you know, the resources are behind this, of course, in behind Ghana, finding solutions for some of these new problems, kind of to transition to the last topic for today, guys. So obviously the future right, what is the future holds? And, you know, I'm sure everyone here has some thoughts on that, from a vendor perspective from, from the city's perspective, municipalities perspective, what they're working on. Obviously, I've heard the term digital twin, we talked a little bit about that in our IoT data analysis webinar that we did a couple weeks ago. Is there a similar use case for digital twin technology and IoT security at all? Personally, I don't know. Maybe you guys can chime in. But that's one aspect of the question. The other aspect, of course, is just in general, hey, what do you think the future holds for IoT security, you know, Zero Trust incorporated within IoT security, I guess what we can do here, I'm going to start with you, Michael Cannon, and then we can kind of go around the panel. But, Michael, anything to add on here, in terms of, in your opinion, what you think the future holds, you know, for IoT security?
Mike Cannon: I think, with this increased sophistication of attacks and threats out there, it's going to be even more critical that hardware vendors that are making these sensors, and the networks that are built around are focused on security, so much of Smart cities, and the technology behind them are all about improving the quality of life of citizens, you can also wreck the quality of life of citizens if you don't do it. Right. So, and then also data privacy, protecting personally identifiable information, and all of the things around that. As many of you see, you know, privacy has become at the forefront of so many things these days. And, and, you know, certainly European standards are not the same or even tighter. And I think those are going to gradually find their way here like they have in California. And then there'll be another part so the country.
Nikhil Gupta: Perfect, thanks. Thank you, Michael, we can go to you next, David, if you want to chime in.
David Graham: So I agree. And I will add that what the future holds is more of the same, which basically is there's going to be a rising trend in more and different types of IoT that gets deployed, we will as humans be more connected, and the systems that run our communities will be more connected than ever before, which will increase the vulnerabilities and the bad folks are going to get more sophisticated. And we'll have to get sophisticated along with it. And so I think setting a, and this may be a bit doom and gloom, but setting an expectation amongst the public and leadership, that cybersecurity is something that is everyone's issue and a collective challenge to address. For example, we just launched a cyber awareness for small business program where actually the city is providing threat assessment software to small businesses and training, because our businesses, you know, have just started coming out of the COVID situation could get hit, and you can see businesses actually going out of business. So we're seeing this as a community wide issue, question and problem. And as sophisticated as we will be no one to Mike Firstenberg point will ever be fully secure, there will be no perfect, we will continue to be vulnerable, we will continue to be hacked, we will continue to be breached. The difference, I think is setting an expectation that we have done everything possible to reduce the likelihood and more importantly, can rapidly respond and be resilient to any attack that ends up happening. I think that is the new perspective that should be infused in our communities in our leadership across the board. There is no suit of armor that cannot be pierced. I mean, we've seen this through history, right? We figure out the next new armor and then somebody invents the gun, right? We invent the next new, you know, defense system and somebody invents a bigger ball. So that is the exact same thing as it relates to cybersecurity, reset the expectations of the community, your elected officials and leadership, that it is not a question of if it's when but that we are as prepared as possible. And we have set things up to bounce back as quickly as possible. I think that is the new approach, and will really help address the concerns around the deployment of IoT. Because let's face it, there is a lot of benefit for the operation of our communities for the benefit of the public for the well-being of our lives that can come from rapid deployment of IoT, if done properly and correctly, and setting the expectations and the value analysis associated with that as will be crucial. And ultimately, if we're doing this 10 years from now, we will see great benefits from what has been deployed in our communities that it's Trent will transform the way that we live.
Nikhil Gupta: Perfect. Thanks so much for that, David. And good context. I guess, Mike Firstenberg will go to you next.
Mike Firstenberg: Right? Well, it's been an honor to be a part of this panel with everybody here. Thank you for having me. I'm going to respectfully disagree with some of the things have been said and hopefully limit the inflammatory nature of what I'm saying, yes, there's going to be more systems that can't be argued, there's all we know, there's going to be more we project that there's going to be more ransomware, we project that there's going to be new attacks, and we have absolutely no control over the attackers. It's foolish for us to think that we do when we look at the risky equation and the threats and the vulnerabilities, we don't have much control over either of those, we don't have much control over the likelihood if we decide to connect our systems to internet to the internet, or to a network that is connected to the internet, that our stuff can be reached through a hub, or through a pivot point, depending on your choice of nomenclature. So that's what we really are looking for. That's what I'm looking for the future is a shift away from the intent to secure devices to the management of risk of systems. I think that's where the future is headed. You know, it was mentioned a couple times by various people, the need for resiliency and recovery. And I think we've demonstrated with a pipeline with a water company with a traffic light with a streets department that we cannot do that fast enough for the public to be satisfied. And with that, we need to really consider how we're managing the risks associated with what we're deploying, and making sure that we're going in with our eyes wide open, and truly evaluating the risks understanding what we have within our control.
Nikhil Gupta: Perfect. Thanks so much, Mike. And then, you know, obviously, last but not least, Michael Rothschild, the phone and getting your content.
Michael Rothschild: I think all of my colleagues on the paddle have raised points that I would have raised as well. You know, I think at the end of the day, we don't know what's happening next, we don't know who the threat actors are going to be. It sometimes can be an insider that does something completely innocent, but opens up things. It could be nation states, it could be hacking, it could be anybody. You know, if we were having this discussion a year ago, we would have been talking more about malware and ransomware. So there's always a new threat does your and I think the most important thing is, is to recognize that there are going to be threats, it's a morphus we can't predict what they are. I think what we can learn from that and all of the technologies in the world will start to pivot towards visibility. If you know what you have, you can start to secure it. And I don't mean I have, you know, a server, I have a PLC or whatever. But actually knowing what is happening. What's your patch level? What's your firmware version? Who has access to this? Are they running risky protocols are ports open that shouldn't be open? I think having that deep situational awareness is going to help us in the future because once we know what's there, we know what needs to be secured.
Nikhil Gupta: Perfect. Thank you so much, Michael. But I do want to thank Mike, Michael, Michael Rothschild, Michael Cannon, David Graham. Never gonna get used to that but definitely, thank you guys for being part of here. I'll make sure we can get a Michael moderator next time too. So. But anyway, thanks for sharing your wisdom expertise with us. Thank you, audience for joining us. I hope this was informative. I hope that was helpful. We got to hear from different perspectives, different, you know, points, counter points, objections, whatever and all that kind of good stuff.
Speaker 1: Thanks for listening. If you'd like more information on how Carahsoft, Tenable or Waterfall can assist your agency, please visit www.carahsoft.com/slg/smart-city-webinar-series, or email us at CountOnCarahsoft@carahsoft.com. Thanks again for listening and have a great day.