So you start it we probably won't won't finish the entire talk I want to leave time for questions and some of this you know if you've been in the security seminar before you might have seen some of this from one of my students we've sort of done work over the years and things have evolved as far as new data new applications and such. And other disclaimer this is a very crowd which I think is a good thing so I've tried to balance things that think would be interesting to different crowds hopefully a while to get Hopefully you'll find something that's interesting Feel free to ask questions maybe now this point maybe you hold them unfortunately until until the end and we'll go from there. OK so I always like to give a little. For what we do in my group and OK maybe it's that. So we've been working in physical systems security for a while now maybe about. Four or five years or so. I've jumped around areas sort of because of interest and because of funding and all that good stuff and you'll see that happens so we still kind of do work in network performance analysis and characterization so part of actually our security work that we've done is our physical systems we was motivated some for some of the characterization work that we want some of the characterization work we want to do. We've actually done some work in privacy which is not again a core area but a funny area so we had students looking at. Ways to the main goal really was a compromise privacy so to break a tax on structured data. We actually spent some time and cyber crimes a lot of cloud security type stuff again that nature of the core but some things that were interesting and some nice contributions came out of those and the general approach that we take and I think is pretty standard for all security research is that you have this this real world approach where we look at real data we try to solve real problems we're really interesting ideas. But we are still actually missions so we have to addition to addressing problems that are today that here today we also have to make sure that we. Look at think about the problems of the future and different ways to hopefully address those networks and threats of all so we take those two approaches so in a nutshell I want to talk about an overview of C.P.S. just to give a primer I think that's a bit with a big draw for this event. Talk about how as a result of the various components of C.P.S. how the attack surface has actually expanded which means that it's not good it's more ways to attack systems. And a little good news in that the nature of C.P.S. itself has also get new opportunities to secure these systems right so it's a combination and ultimately you know if it's better or worse you know I think the jury's still out but they're certainly bad and good news associated C.P.S.. Will talk a lot about some power grid. Work we've done we've done that we have about two and a half years of data that we collected from a real substation. So what we'll talk we'll talk about that just a little bit fully. Some observations from that monitoring while they dive into a little bit of fingerprinting work that we've done in the past and how we've enhanced it and conclude go from there so. If you think about cyber physical systems it's really at a high level you can say it's this intersection of these various components from the cyber world so you know person computers laptops all this digital stuff. And it's that's intersecting with these physical devices right so pumps and valves essentially anything that actuate right so what we've we've done is we've gotten. Maybe I should say so lazy but we've we've got to a point where we want to make sure that we can control all these physical systems if we will you know with our electronics with our phones it's a really good thing it's convenient right so it there in the morning you know maybe you can actually open or close I say or break a breaker or circuit out of substation as opposed to having a truck roll you can do that from a laptop or from from a machine so it's very helpful the issue is that once you expose these physical systems these are physical systems to the good guys and of course the bad guys also have an opportunity to participate in the fine so that's the challenge and that's the concern. There has been only a handful of really tax externally and C.P.S. systems right so you've got some folks. That think that just conveniently think that it's not not going to happen that that we won't have large attack for the first was was dux net and you know around twenty ten or so. And then you had this Ukraine attack in twenty fifteen and then right around the anniversary of that attack there's another attack twenty sixteen and these are all on well the last two were substations and in a disconnected good part of grit the interest in peace so if you if you look at what happened. And look at the two different Ukraine attacks you'll see that a tremendous amount of sophistication from the first and second a tremendous amount so the first one was pretty straightforward it was it was not a big deal you didn't require a lot of power systems knowledge and knowledge of industrial systems where the set. That one was was really cool it actually had different modules that allow the attacker to send various commands to various control systems in his native language was that actually implemented these proprietary I.C.'s protocol and it was nice and modular I mean it was really neat I was like Man is this is good stuff is sort of cool so I mean for the folks who don't think it's happy I mean winter is really coming and I mean it's not this guy's fault and but I'm like really I mean they've got a dragon Now it is it is coming it really is coming. So we'll see but I was alarmed I was absolutely Lauren when I saw the code from the second Ukraine attack. So again. More. Than just overview of cyber physical systems and to sort of where various components fit if you look. At the bottom the pink you have the cyber cyber system and right above that you have this communication network and essentially you will have to the left communication network we have the sensor Clouseau you have these different components that are our sensors that are observing the physical environment and it for the most part they are just one way to Vice's the sensing the environment and oftentimes they are connected over a sense a network a while since network and ultimately that data is communicated over communication network to this decision making system some sort of control system or are to you whatever it may be and then a decision is made some control algorithms are made their decision is made for an action to occur inside the network so some sort of actuation to occur so maybe that's open a breaker or do various different things to open a file whatever it may be and that actuates obviously occurs on the physical world and then you have this really nice here closed loop system is open loop system but without sensors but you also have these clothes and simple systems that's what we at least want to be with C.P.S.. So you know where the side of physical systems fit is there's lots of acronyms that just confuse folks so you've got C.P.S. and then you get this idea to thing which really just is like me and what is the difference between the two and it's interesting because you know from what I've seen we really like to call things that are just cute and shiny I.O.T.. You know like a nest Armistead and the things that go boom you know like that could go to them like a power grid or or could cause a lot of destruction like that water treatment plants things like that we usually consider those C.B.S. C.B.S. But there's a tremendous amount of overlap in a different area so and then you have this other term. Right which is still more of you know industrial control type systems components so in addition you have cloud of course and then the general idea is that you can have all sorts of data even you know lots of substations have for example sockets here who's taught me a lot of my power stuff and you know have these substations these digital substations were almost all the calculations in the future will be done in the cloud not these a bunch of sitting in substations but a lot of them be pushed to the cloud. And these are physical systems you certainly have lost and Tim communication I mean at that sort of how these things work where you have different devices telling of a system to operate lots of machine machine. And then again a while since the networks use those to communicate data and of course there is a true Mendis amount of data if you look at data from P.C.M. you for example a phase of measurement units and all sorts of data that come from various sensors there's a lot of it is real big data when you think about cyber physical system so. Let's talk a little bit about C.P.S. verses industrial control systems and I do this in my class because it's we oftentimes folks will confuse C.P.S. I.C.'s and group infrastructure they just all this just use each term you know for everything right so I'd like to just sort of spell out what I think the difference are so you have this whole world of C.P.S. which is again it's these physical system that's going to marry with the digital system right within that is a subset of systems which are industrial control system right so you can think of and I say yes it's just some sort of you know process desk be an automated so I always do this around lunch time which is really interesting but so I'm sorry I don't know if that's good or bad for you all. You haven't done it also isn't where you actually automating process let's say and a plant or in. Warehouse or whatever it may be. And then you have various investor control systems that operate on critical infrastructure right which is different so this I.C.'s is just a standard investor control system and I'm going to show you guys in love in a minute to a standard gesture control system but this I.C.'s operates on physical components that are critical so this is what we call critical infrastructure. So this is really interesting and. If you think about you know I really hate how this is displayed over here but OK let my O.C.D. go back inside. Might not come back over here so. If you think about different networks and you really have to understand the differences between these networks if you want to have real solutions for these systems so. Networks the secured objective is primarily if you've got to choose one has been confidentiality and that's what we've been trying to try to provide the network typology is usually dynamic D.C.P. web based bring bring your own device. The partitioning is often based on like like functional units like apartments you know accounting versus engineering or whatever it may be. And I know you guys are laughing but in theory there are there are regular upgrade updates you know of patches and any of ours and things like that and actually they do strive most places strive to do that. In the I.C.'s were all the networks are primarily static even though you do have you know wireless networks like were always hard for example but most of the systems I mean only Transformers don't move most of the systems are pretty static and if you think about the functional partitioning it's really in terms of the hierarchy so if you think about the IT HAS A It's called a pretty reference model and it's really the dept from the business network all the way down to the lowest level the plant network so that's how the systems are usually partitioned not from department to another department and as far as patching. You know it actually is challenging because a lot of places really hard to get to I mean we've been to substations where we'll fly you know to a certain location for hour and a half and we're finally at a substation which is in the middle of nowhere right and all sometimes they don't want to push down remote patches because it may not work that actually happens right so they've got to drive out all these different places over it oftentimes hundreds of square miles of data. Patching. But in some I've worked with some large. Organizations where they just said you know we don't we don't patch we're too afraid that the patch will compromise their most important security objective which is what. So yeah there's like you know what we don't catch So we'll keep running Windows ninety five. Literally And we're not going to patch it because we don't want to break our system and that's what they'll do that and then I mean they will do like you know they'll build it try to extend the defenses for the perimeter and in the far walls and it's good stuff but they front like you know we're not patching which is. Scary to me to say the least given that. The fact that a lot of these substations specially in roll areas are in the middle of nowhere and that and they have very little physical security in theory you can go and just hang out and therefore week before you found out that that that somebody is there right so it's really scary and all sorts of interesting things that can be done. So yeah it's. Not that great and it gets even worse. So let's continue with the bad news. So. Let's use an example physical system to solar illustrate some of the challenges that the new challenges associated with cyber physical systems so just think about a room. As our C.P.S. and the various components and a goal is to heat or cool this room so you have a temperature gauge you know the actual So that's and then you have actual system here which is the room with me to cool you have a furnace and we got the starter stat right so in. In our more technical terms right we have the sensor. We got our system against it use your favorite sensor choose a favorite system or process the furnace is just an actuator it's just going to call something physical to happen and then of course this is our controller So again it can be appealed so you're whatever you want to be an ID So this is an example fiscal system Well if you think about it it actually really is nice and I mentioned this earlier. Really nice control. Closed loop control system. Right so we have our. This is our output you know we want to have a certain temperature so the controller of the thermostat is going to set this temperature it's going to cause actuator in theory to do something if it's not in this scenario if it's not already doing something but in theory it will do something so turn on the furnace. And that's going to affect the process right which is our room it's going to either heat or cool this room depending on the actuator and then we're going to observe this temperature if this is a closed loop system and feed that back into our controller and if we can make adjustments in this scenario you really can't but if it were let's say cruise control for example you actually can make these analog adjustments then you make those adjustments and that the controller sends it back and it just continues and it happens over and over again right so standard I mean really basic you know first chapter you know control control that control systems control there. So let's take that to map it back to. Security so traditionally we have focused on. Our base security right so we patched most part we have the. Space for our walls and all that good stuff so we do that now and we're doing an OK job of it and then we also have the traditional network security so we get far walls we've got I.D.S. isn't all that good stuff so that's kind of where we've been in I.T. space. But now what we've done is. This other component that we've added the controller actuators and also the process and even the sensors right so we added that to our traditional security and so things that we have to be concerned about so we've got to be concerned about now in addition to our systems being patched many Omar not. In addition to whether the far wall is configured correctly and all this other good stuff we have to. Make sure that the controller has not been attacked we've got to make sure that the actuator it's not been compromised and also the sensors so there are different types of attacks really common attacks on these different components so for the controller you have what's called a false control attack as essentially where you are sending a command to an actuator and you're spoofing the controller right so if you had authenticity built in the system in theory those sorts of things could be resolved and it's a huge IF and they often don't. The actuator can be also compromised and and again in one way of doing that passively is saying that hey you know the control ask me to do something to. Open a valve to a certain a certain degree I can just respond and say hey is open or it's not whatever right so that's an attack a passive attack on the actuators and then the past attack on the sensors is actually just a false data injection so I just I just then you know you want to know the temporary of the well the the R.P.M. of the centrifuges what are maybe I can send back a false number right so the attack on on the sense is right so we have to in addition to securing our traditional systems figure out ways to secure these other components. And they also do. Direct attacks right so you can you can directly influence sensors by changing the physical environment right I mean you could do that. You can also directly attack the controller by. Program allows controllers will run their own code I mean they run usually structured text or ladder logic is probably most common but it's just it's just software right so you can actually attack the software as well. In February my postdoc David form but you might have seen him give a talk here in other places be a really fascinating talk at R.S.A. we're. We looked at attacking controllers and the idea was to see if we could. Launch a real TAC using We didn't want to go to jail so we can actually do it in the in the while but we actually use real devices that in theory that we could connect to we used it on to figure out which devices were there and we actually wrote ransomware code and we send it through the people sees in our system the real attacks real real exploits and a compromise all the people see and then it was really cool they just thought of these email clients on these people say so we use email client to send a ransom note those are great so we did that it was really neat He looked at holding a water treatment plant hostage and ultimately you know he poisoned the city's water so it's all dramatic but it was it was really interesting but there's really no defense for things like that right I mean it's in the defenses that are there are. We had calls with. You know I'll let you look in the paper if you actually care but I won't say the name here since is being recorded but I would call the major vendors and you know they were saying that Will. Why do you think we need a password on our people see. Our users had asked for these things so that's why you know it didn't have a password or the ones that had a password you can easily brute force them right. Like six characters and you can you know if I'm out of tries I mean all sorts of stuff and then the responses from the head of their product you know and then they called us and I mean reach out and they called us was well the utilities didn't want it so we we didn't do it with that but that's been the attitude of some of the vendors which is which is scary they made some progress as a result of what we did but this is this is bad news because these systems are not as secure as they need to be and it again we've just expanded its access right so. Let's talk about some good. So the good news is. This is this is one of my favorite favorite pictures. So so the good news right so the cool thing is. These physical systems. Necessarily have to abide by the laws of physics right I mean if you can be you can be physics then that's also in the whole we can collaborate but these systems Gadabout by the laws of physics right so what we do is use the physics as a side channel so can we use this as a side channel to help us secure these systems and it's been lots of work includes some of ours saying that when you've got to use the physics of let's say the process right so that's again we don't work in a space feel a lot folks have kind of converged to OK that makes sense use a physical process so you know how level let's say I have multiple sensors at different parts this is a really unattractive generation plant. But I have very very sensors at different areas so for the burner I say the amount of water a tank steam generated and then also the output of the turbine here which is going to be pushed into a transformer stepped up and then pushed out and distributed through transmission to get rid but if I know. Various values of different areas so if I know let's say the pressure here and the temperature here and maybe amount of water here then I should have an idea and I have a model this system should have an idea what this last value should be so it should help me trust some values that may not be untrustworthy give me an opportunity to be able to have a trust anchor if you will for values based on the process physics. Another. Thing another way you can use process physics is for making sure that lets say control commands are are legitimate control commands so as a project actually is wrapped up now with my colleague sockets and so forth as it alters that D.T.R. and also. And the really cool part of this project is that what we're doing is looking at the data doing D.P.I. deep packet inspection and looking at the actual control commands that come in and these control commands these data packets actually will their perfectly formed packets so there are no you know an hourly basis use they'll you know bypass and all that based systems they are you know like a zero day type of attack so it's no signature based systems that can detect them so perfectly formed packets but what we do is we actually run the control commands through this state estimation which is really a contribution of sockets and he has a model of the entire substation all the components that's there and it's a real time model and what we can do is take this command in a command to be open breaker X. as substation Y. and he can fashion a real time determine that this command could destabilize a grid and if it does then node is sent us a message is sent to our I.D.'s which can simply block that command one of the challenges about this is. You know in theory you can have to ration because of the modeling is dynamic so at any given time and it in theory that can happen a president at any given time that that command it was sent actually could have been legit it's to pin on the physics of the grid any given time so if you use the physics of the process then you can help look at detecting false data and false control attacks so another. Technique that can be used is looking at the physics of actual devices and this is been really interesting work so this is. These are two latching relays and this allows you to just open a closed circuit and me and I really like them so last over the closed circuit. It's. So. These these latching relays have certain ratings and like how fast they can open or close a circuit but the interesting piece here is that these relays are how fast they operate really is a function of its physical composition right so you have the solenoid in each of these and again they are rated do the exact same thing and they are tiny actually there I mean about this big and what we want to do is see if. We can determine. If the device A versus device B. by looking at how fast this armature close is that it moves from here to here so that it moves from here to here and our position is that well it's going to be different because the physical composition of these devices are different these so annoyed the force this generated from device a. Versus device B. is going to be different based on let's say the solenoid that's here in the number of turns the amount of current is being pushed through the direction and all that good stuff so what happens is you can detect how fast this we're going to detect what device it is by simply just looking at the speed at which it opens and close now it's it's a slight challenge to convert this to. Something that an I.D.S. you know could could ingest but it's actually not that hard to do so if you have appeal see that's connected to it for example. Then you can just observe this time and also in time this time is measured for performance so you can use that time to decide hey wait a minute this was device B. and not device a so that's another mechanism that you can use in addition to the physics of the process you can also use the physics of areas of ISIS and we chose these vice of a couple Reason number one they're tiny and cheap but it was also a worst case like if we could if this could work for latching relays that were rated very similarly the initiate work for valves and motors and pops and later which I probably won't get to hear but later we actually show that they work for valves pumps and other types of components and it works really well. OK So so this is great I love showing this picture so I can tell my friends that I actually am really engineer and. So that's why I think I think I was doing there doing absolutely nothing less it will just take a picture. But this was great this was I think we're in Florida at one of the transmission substations. So I'll talk a little bit about the study that we had. As a substation for a couple of years and just just a quick primer for the power grid you have some sort of generation that occurs that could be renewables or can be just a regular sort of coal burning plant that occurs. Then that is stepped up and then pushed through the grid and this is called transmission it goes through several substations the voltages ultimately step down the distribution substations so here and in push down to our homes where step down further in and actually comes into the house so you can monitor the data at various points we monitor at the distribution substation with a voltage was a little or and we had a system there for about a little over two years right so interesting access and the cool thing about this study is our whole goal for this was just traffic characterization we had no interest in secure I mean again part of my work is networking and characterization of my work as security so I said hey you know no. I was really written a large scale paper on characterizing power system traffic left me to first as often as I wanted to be the first to write a paper about a site or I said let's do it. So we did I mean which was which was great and so here's the architecture we had a system we had a control center that was here and it had. This fiber ring different I.D.'s So this was one substation connector control center and the I were these intelligent electronic devices I was I done a lot of work in India D. space and then I moved to Dia East and they start time I.D.'s I was really confused but it's intelligent electronic devices but these are components that sit in front of let's say a transformer or some sort of actuator and it adds intelligence to the device that you can actually pull it and do different things but this is a fiber ring connected back to controls and so we were there for two years a little two years and we found really interesting things and this is just a summer there's a fifteen page paper to talk about this one slide by the way which is should be on my website but the first thing that we observed again not looking for this because we just want to write a characterization paper was that many of the network protocols were very poorly implemented especially just really terribly implemented and this was across actually almost all of the vendors and so we went even further to say well maybe they just bought the same protocol so we could that would have made us feel a little better but they were no they were just all terrible and they were all different and differently terrible which is which is really scary to me and these are major vendors. Very interesting traffic dynamics so. We looked at our T.T. around trip time and on this fiber network would essentially no delay it was like point zero one utilization rate the R.T.T. for three miles. Fiber was much greater than our city from you know from Georgia Tech to California over internet which we were like what's going on so we dug a little deeper and then it makes sense most of the time was actually spent by the packet was actually spent inside the idea itself because the systems were these and better systems whereas tiny time on the actual network but the vast majority was actually spent inside I.E.D. which is really cool because that allowed us to do things like device fingerprinting based on the internal components of the system. And tons of flaws. Which you know some are documented here we work with a lot of the vendors the most recent always on my website the most recent flaw that we found was an appeal C. which is a privilege escalation flaw and it was if you get read access then you can easily get root and so that was not the alarming part to me the alarming part was that it actually took. Eleven months and a couple of threats by the US to get the vendor to actually fix it I mean it was it was rude to do this is not a simple flaw this is privileged escalation these things are powering our grid their generation plants would you please fix it and after encouraging them to do nothing for eight months they literally did nothing and we encourage them at that point they finally pushed out a patch for these things but this is crazy. They bought it from somebody who's right it was a terrible consistently terrible. A couple of the findings. So this is this is a this is a couple years old so maybe they've changed or for the people who wrote these things. The first thing that we found was a G. hydrogen which is a transformer monitors monitor transformer and give us state and the sort of feedback we got from from from G.E. was the only way to fix this is about a new version but there's no way to pass a system whatsoever and you've got to buy a new system right some like OK that's not good but fine. The scary back was from from Cooper right which again I mean this is all this is public and presumably this passed to the lawyers I don't know how but it did but if you look at the bottom statement it basically says that. Yes you found this flaw you can bypass authentication using this technique but guess what we don't require authentication so jokes on you I mean literally That's their response that's in writing that pass lawyers that's actually public now this is their response I mean it's so if you think about how poorly the software is written how easy it is the access these systems are in a while the attitudes of vendors and this was a couple years ago including the been as we talked to in February who were blaming it on the utilities for not demanding from passwords it's scary I mean it's a lot of stuff to be concerned about. I won't go into the device thing branched out this is some stuff you've actually probably seen before. But this is a we use this technique this is based on the device physics that I talked about earlier but we use this technique to indicate different devices and you can almost use it as a puff of physically in a clump of function where if you have a pill see with different actuators because actors don't really move if you can get the timing of these actuators and you can authenticate and identify the actual people see so it's a really nice way to do access control and other things on their systems the new part that's really cool is. This stuff. So we've extended that to not only work with these relays but to work with valves and all the graph right here just saying that it works and that it's one hundred percent of the time which is good We've also extend it to Motors pumps and other various components. I'm going to go ahead and wrap up as I do want to take a couple of questions but. We really have a long way to go we're working on a. We're working on a submission for I say now that I won't talk about in detail but it's you know yet another in our mind really simple flaw that can be explored and can be significant so hopefully we'll get a chance to present that. We have spent a good bit of time measuring data measuring measuring trafficking in lots of data and it will be really helpful if we can get access to more data I mean you know I will say this on tape I mean I had challenges even working with Georgia Tech I'm like look facilities people we want to help you we want to do it for free you know let us help you and it was like no you're not going to get on the network and I'm like I'm trying to help you not the bad guys on network but but it's a challenge a challenge for us even on our campus to get access to data to help secure the system so if you're out there listening we love your data. I'll conclude and be happy to take questions and sorry for the. Issues earlier. Questions for like three minutes yeah. Most of those. Questions. I mean I know the motivation here that was speak to their motivation. I just say I have not been impressed with their effort in securing these systems it's just not it's something that when my Grafton's can can solve that issue and you know a weekend of work I mean it's not it's not that big a deal but they are imaginary just more for I mean it's not easy being a company but I mean they're very focused on pushing our products and being competitive and sometimes it's hard to spend time going back and fixing things so I imagine that's OK. But yeah from us. On. A real risk model. I'll answer that question off of the camera so I have my opinions in general about you know front and calculate risk models for real systems I mean I think theoretically because I actually know so theoretically I mean it can they can be fired but I think in practice it's really challenging to have true risk models for live systems on paper yeah you can do all these sorts of things and you know and then it's you know the probability of this and then. But also have been mapped any sort of real solution at all from what I've seen. But I know certain organizations search one agency agencies love these sorts of things I mean we we present I'm like OK well if you want to run this well I'll give you one sure you go you know. What else. Just dangers of the lord All right the rhythm on that. This is not right the older the. Utilities or. Be protected. I'll give you my general opinion on regulation and compliance. At a high level and be happy to talk offline about those sorts of things so. What I've seen with various compliance in this is that they often are. Named correlated with security in many instances and that you need to be compliant and I mean you know so for example you might get to be complying and have you know a password that's four characters or some grimy I mean it but because you had to have a password that you know met a certain sort of composition type but is still completely insecure right so that's been my experience what I've seen in general. But I'd rather talk offline about those specific ones because I know some the folks involved. Yes I'm sorry. Some people transfer their current this year to the rest. But. I didn't. Want to. Actually. There. Are the let's. Just take a lot. That's when you're. You know you're just. Like email that's what I expect Thank you Nick. That was your source three that you were going. To. Let us yeah yeah yeah yeah. Trained men. Single. Right single. Right word he says something innocent looking to hire Yeah ordination a lot of security should be overall state the highest price in this kind of physical state. Dept and there's another city possibly consider the site this isn't temporal deficit's subsystem to be that many more years where you have to take patients to see or process under different conditions external conditions. So this isn't just wondering if you only want to get that. Kind of. Saw this is supposed to mean so that specific thing is the. Project that's was set right so that specific project the goal was to focus solely on the substation and model the behavior of the substation in various components and use that as an I.D.S. that that's because that what we propose to do so so most of our work was substation based and a lot it was as we just left but a lot it was basic status mation from the power system guys. Yeah to. Buy just for me to read and write. And. Reverse this isn't all there story. Or so. This is already. There just. So this is three for example so this this substation in M.P. three and yeah you got security M.P. three that gives you in theory authenticity and it gives you two. It uses actually T.L.'s to give you confidence jali But I mean I have not seen anybody that used it right so you can do that and then there are other concerns with. A lot of the equipment I mean I don't even know if they could have used it with the the I.D.'s that they use like if it makers now you're adding the crypto piece into slows it slows down so I don't even know if that component actually these components could actually do it so the issue with especially in power systems it with they use equipment to advise I mean I mean Transformers last for fifty years and you will I mean you know a man went to such and I mean a transformer as you know twelve years old maybe fifteen years I mean fifty five years old and they want to keep pushing into the thing crashes and burns and they take that mentality into all the other components like other I.D.'s So even though you have protocols that years ago came out as a portal I you know I see six hundred fifty is a really nice secure protocol but nobody uses it not in the U.S. If you go to Europe no place in Asia then you'll see there much for a long time we are so. It was nothing but I mean you do have see you do have ways to be much more secure on industrial control systems but then that just gets you up to the you know close to where systems are in theory and then you have all the other concerns associate with. Yeah last question here yeah. So one of the reasons why it's happening is because the skill base is. For those people hired to do just that. Really. Science so there are some classes to take a look at. But I mean so what I would I would. So I would I would I would I'll answer that too but then I'll make a comment first so what I was served say at the E.C. career fair is that. The lines are really long for you know our company students for like entail and Facebook and I was of places. But our students who are in the system for example are not really lined up at Cooper right or. So. I mean I think a nice way of saying is that it's almost a skills missed mix match I mean I think like the physical components are probably exceptional because they had a best power engineers to do these things and build a component but what comes of developing the software they do it in-house so you're not outsource it's it's probably not the best skill set and then you ultimately have to use the system that are not there good we have you know great courses in any C.. We have Britain. Always right here does the buy here analysis course which is good we have a course that we teach can we actually do some more courses here for me there's a C.B.S. security class that I'm teaching online through all my C.S. So I mean you can you can get asset access to the same course each eye has like an infinite amount of short courses like on these topics right so yeah. So our last last question this is. This is. Not the old cultural problem that's what I would use all the technology yeah yeah. Yeah yeah yeah yeah. And they have a law and the process control engineers have a tremendous amount of power so we were at a large rolling go or gas company a couple months ago and we're talking about your security solutions and you know the folks that are powerful at these companies are the process control engineers you don't stop their process you do not stop their process so you know I T. and subjugated folks can yeah this stuff is fine but you better not stop our process and that's the message and they control it so that's another another issue so you know what I mean we're going to get there hopefully. I don't know OK last last last quote is this is that yes. It was on. Its. Own it's. Just. I mean security you know I was talking to the head of. A large security company and you know I think he framed it really well and he said look secure itself secure is like selling insurance. So it's really hard to do and folks don't believe it so. Daddy I'll leave it at it with you know all right thank you.