A

From a defensive standpoint, if you're a defender, that means what an attacker is trying to do here is get directly to the thing that's closest to the physical world and the opportunities for detection are much higher up in the stack and obviously the IT network, there's lots of opportunities to detect these types of attacks before they even get to that level.

B

Welcome to another episode of Mandiance Defenders Advantage podcast. I'm your host Luke McNamara. Joining me today in our virtual studio, I have Chris Systrunk, Samat Bisht and Anthony Candarini from Mandiant's operational Technology Consulting team. Great to have you guys all with me this morning.

A

Hey, thanks Luke.

C

Glad to be here.

B

Well, I said this morning, but I think maybe Samanth, you're the only one. Actually it's the morning, it's a little bit afternoon evening for the rest of us. But wherever you're joining us, who's going to be listening to this in the future. Great to have you all here today. So we're going to be talking about a blog that you were all involved in writing about protecting the grid, protecting relays and some of the work that you've been doing in the space, especially from the red teaming side. But maybe to begin with, for folks who are not very familiar with Mandiant's OT consulting team, Chris, do you want to kick us off? Maybe just kind of a brief description of what do you guys do, what do you focus on? Kind of how do you fit in the larger work?

A

Yeah, absolutely. So we've had an OT team at Mandiant since late 2013, early 2014. So come up on 12 years. You know everything that Mandiant does, incident response, strategic consulting, technical consulting, including pen test, red teaming, blue teaming, executive tabletops, technical tabletops, incident response plans, and even training. We have two ICS training classes. We do that with the OT folks in mind and our folks on our team come from industry like I came from electric utility, SCADA engineer background. Anthony and Simont have also experience in OT before coming to Mandiant. So we are there with our clients and and can speak their language and then help them improve their CyberSecurity from an OT perspective in every facet of critical infrastructure, whether it's electric utilities, water, oil and gas, manufacturing, mining, transportation, you name it. And that's kind of it what we do from an overall Mandian OT team perspective.

B

And I would definitely endorse as someone who's got a chance to sit in on some of the training, if anyone out there listening if you have a chance to take a class with any of these gentlemen, definitely worthwhile experience in terms of getting into some of the more particulars of what you kind of do in this space, in the OT space. I guess, kind of transitioning from that into this particular blog. I think it was an interesting read for a number of different reasons. I think one in part because it is written from more of a Red Teamer perspective. A lot of applicability there to defenders, but I think that kind of brings a realness to it. I think if you were to talk to the average person and ask them about, you know, what a destabilizing cyber attack could look like, probably a lot of people's first thought would impact or think about something related to the energy grid. And I think what I really loved about this blog is you dive into kind of the actual nuts and bolts of the particulars of what could be targeted, what could be impacted. And in particular you have this focus on protection relays. So maybe I think to kind of kick us off, what are protection relays? These intelligent electronic devices, what role do they play in a modern energy grid? And yeah, let's, let's talk about that from kind of an architecture standpoint.

A

Oh sure. And I'll take this one. I used to work for a power company before coming to Mandiant. So when you have an electric power system, whether it's a grid or even if it's just serving to generate power for some small thing like a motor, you know, you have to get power from one place to the other. You have generation, transmission and distribution transmissions. High voltage, where the big power lines on the side of the road or interstate, you can see them very high tall pylons. Distribution is what comes into your neighborhood, into your businesses, into your homes. So the relays are the brains of how those power lines are turned on and turned off. You have different components like circuit breakers, power lines, transmission lines, distribution lines, distribution feeders. You have transformers that step up or step down the voltage. All of those expensive pieces of equipment have to be protected. And the way that we do that is protective relays that sense voltage, sense current, and can do it very, very fast like a sine wave. In America, you have 60 Hz is the sine wave frequency voltage frequency grid frequency in other countries is 50 hertz. This is even faster than that sub millisecond sensing of what's happening on the grid. If there's something going wrong, it can say, hey, that, that is a fault or potential fault. We need to do something about that. And then say, send a command to a circuit breaker to open, or what we call trip, trip the circuit breaker, trip the power line to open it, to keep it from catching on fire, to keep it from having an issue like a squirrel. If a squirrel was on a power line, we want to not let the power line burn down. Right. So we want to open it up or during a hurricane or an ice storm, other disaster that might happen, or if a tree fell on it, for instance. So these smart devices used to be electromechanical with, you know, coils of copper wire and sensing disturbances that way. And if you go back in the electrical engineering handbook from, you know, 1900, a lot of the things that existed in relays exist now. They're just now done digitally with microprocessors. So in the early 1980s, Ed Sweitzer invented the micro processor based relay. And now all modern digital relays are based on microprocessors. There's still electromechanical ones out there, you know, protecting the grid, protecting these systems. But the newer ones have these more modern features and they work better than they used to. And also now they have connectivity with ethernet ports. And so now we, or serial ports, and we can talk to them, program them remotely or not remotely. There's a lot of different things about how we can program them and also do protection, you know, even cybersecurity. So I did a lot of talking. Luke, thank you for that. Allow me to do that.

B

No, I think that's, that's really helpful. And I know there's a bunch of different core components that, that make up this part of the, the architecture, but maybe we can go through some of the other kind of key pieces here.

A

Yeah, so in the blog, Simon, he and Anthony and others, we've kind of described some of these components. And I can turn it over to Simone or Anthony to talk more about that.

C

The very thing which we have thought about before writing this blog was to understand the attacker's mindset. And when we are talking about the attacker's mindset, so we are thinking about how the attackers basically think of attacking our power grid. So they will specifically. So as we have seen in the past attacks, they have specifically focused on tripping the circuit breakers, like in the Ukraine attack, which happened in 2015. So when we think about these circuit breakers, whether the origin of the command to trip these circuit breakers could be, could take any path, but it finally goes through the protection release. So I'm just trying to highlight that why protection relays are very important why it is the major target for the for somebody if they want to target to the or if they want to go for the proper blackout of the nation or the entire city. So let's say if you, if you want to trip the circuit breakers so you have to eventually go through the protection relays, you can either directly compromise the protection relay and trigger the command from there or you can, you can either go through HMIs which are present in the local HMIS I'm talking about which are present in the substations and you can directly trigger the command from the substation from the substation HMI and it will also go through the protection release. And if you directly fire the command from the EMS energy management systems which is at the top level of the hierarchy within the energy within the transmission systems, if you fire a command from for the circuit breakers to trip, it will also goes through the protection release. So that's why it is very important to highlight that why protection relays are very important. And it's in this block we have not only focused on the tripping the circuit breakers because with protection relays there are many other things which could be done and which could be worse than the tripping the circuit breakers. So when you trip the circuit breakers it's like instantly you can see visually that what happened in the grid. But when we manipulate the settings or the logic which we are talking about within the entire blog that if we change the logic which is actual brain of the protection relays you can do or the attacker can do a war means it can be a nightmare for the entire substation or the entire country. So this is all what we try to add within the block.

A

Yeah, that's a great overview there Simont. But you know, being malicious, if you were an evil put on your evil hard hat. Let's say let's prevent a smart relay or protect your relay from tripping. We don't want it to trip. We want it to burn the power line down or we want to remove the protection itself. Remove the fault detection. Let's say it shouldn't detect when a tree falls or if a car hits a power power line. Right? We we don't want it to to do that. That's pretty chaotic and that's possible. It goes back to even the 2007 Idaho National Labs Aurora attack where in 2007 that video was shown on CNN where you where the the lab was able to say let's go in and reprogram these substation protection relays instead of allowing them to close when they're supposed to. When the generator is supposed to sync seamlessly with the grid, let's make it sync with the grid in, in a chaotic cyber physical way that will destroy the piece of equipment. And it's, instead of being in sync with the grid, it's out of sync. And so the, the generator has to catch up rotational wise and it's causing it to jerk. And they did that through reprogramming the relays to do that. That is the Aurora vulnerability. And you can talk about that or read more about that in Wikipedia and all these other reports that's come out about it. But even things like spoofing the LEDs on the front of the panel, I like, just like, hey, there's nothing wrong here, or there is something wrong here, can mislead the technicians when they have to inspect this equipment. There's, there's so many different other things that can be done to these relays. So that kind of brings us to, you know, how do we protect these systems? Right, Luke, is that, you know what you want to get into next?

B

Yeah. And maybe actually just zoom out for a second. One thing I heard explained to me once years ago in the context of operational technology security, is that there's this sort of trade off that is often made between safety and security. And I think, as you're kind of noting, some of these newer, more modern introductions of technology into ics, scada, OT systems, depending on what environment it might be, it might be, you know, everything from a factory floor to other types of critical infrastructure or an electricity substation, as we're talking about here, some of the advantages of the introduction of that technology to be able to remote in means that someone doesn't necessarily have to go out, travel to that physical location, or be in proximity to something that could have physical safety issues. Right. But the introduction of those things by their very nature increases the attack surface and it now presents potential challenges that as defenders you have to think through do they have that quite right or how do you think about that in the context of here when we're talking about these electric relays and you know, some of the ways you kind of note in the blog, they may require physical access or they could be manipulated through physical access, but some of this can be done remotely.

A

Right. And you. Exactly right. You know, as some substations are not near the office. Right. They may be two or three hour, you know, driving to get there. Right. And so my father works for the power company for 53 years now. 52 years now. And when, when I was a kid, I remember when the operations center would call and say, hey, we've got a fault on this transmission line. He would just roll out of bed and go dial up the modem, you know, 9,600 baud and talk to them and say, hey, it tells the fault distance from the substation. Oh, it's 3.9 miles from this end of the sub, from this end, from this substation, going this direction. Then the troubleshooters, the linemen could go find where the fault was, you know, but, and, and that's, you know, a function or feature of the relay can tell you how far the fault is from the subsection. And we've been remotely accessing these since the, the 90s, you know, 80s 90s and, and now. But due to some things, like what happened with INL, the 2007 Aurora demonstration, but also going back further to 2003, the, the 2003 blackout, the Northeast blackout that happened really made North American bulk electric utilities, the larger utilities, to rethink about how they do remote access, how they secure it and where it's needed. And so that's for the bulk electric system, but for the smaller electric utilities or, you know, say a refinery has a power substation that may not come under scrutiny for cyber security. And what's called nerc, sip, North American Electrical Reliability Corporation is driven by the government to help protect the bulk electric system. But if you're outside of North America or fear, if you have a small electric utility, then it still has these relays. It's still important to think about these things. So you may have that remote access or you may not. You may have security around that with two factor authentication now, or you may not, you know, and so what we want to do with this blog is show that for the defenders. The, you know, if you're a relay technician or relay engineer, you may not know that you're a defender, but you are, you know, you're trying to help protect these things. It may make sense to, to think that way, but it may not. It's like we were not taught when I was in engineering school about cyber security and in our engineering. And so it's a, it's a paradigm shift. We're learning more about cyber security every day. So I see you have. Anthony has something to add as well.

D

Yeah, I was just going to really agree with that. I think from the engineering side of things, most engineers are trained to look at things from a safety standpoint, from a probability standpoint of occurrences, and once they pass a certain threshold And a lot of these are defined by industry standards. So if something can happen by random occurrence one in a billion times, then it's considered safe. Especially when we have transitioned from these electromechanical relays to sort of more solid state type design. And the critical thing here is, well, an attacker knows that, right? If they understand the system and they understand the checks that you're performing, they can overcome this thing that. So instead of it being a probability based attack, it is a knowledge based attack. So for instance, if you're doing a two out of three, two out of three of your outputs need to be set in a certain manner for a system to go into a fail safe motor, you know, know to shut off. Let's say there may be a one in a billion chance that happens by natural occurrence. But an attacker that knows that both of those relay outputs need to be set to turn the system off can simply just attack it. And I don't necessarily think that engineers think that through as they're designing systems. Hey, what if an attacker were to understand this information that I know and I'm designing out from a probability standpoint, would they be able to take advantage of this design? And I think as we move over to this, you know, largely solid state based design across industries, across critical infrastructure, engineers really need to be trained to be thinking like that, thinking, hey, not just what if this happens by accident, but hey, what if an attacker knows about this and tries to do it on purpose? What are my defenses against that?

B

Well, that's what I really liked about this blog again. I think the fact that it's written from Red Teamer's perspective, you guys are thinking about it with your bad guy hat on about how would you approach targeting that. And so maybe to transition there, thinking about, you know, you start with the reconnaissance phase of this, maybe kind of walk us through that. Because it may not just be something as simple as walking into the physical location of a substation and plugging in, you know, a USB maliciously. Maybe it involves that. But oftentimes where we've seen attacks like this in the past, maybe it's going to involve targeting personnel to get into the IT network of the organization that manages that infrastructure. So maybe kind of start, yeah with the reconnaissance piece and kind of walk through what you outlay in this blog.

C

So when we talk about the, the first phase, that is the initial reconnaissance phase. So the attackers will basically go, go with the public reconnaissance. So they will start with the social reconnaissance, especially targeting the organization and especially looking for the utility engineers Those peoples who are, or the people or the staff who are working on the, on this specific tso, the transmission system operators. So they will be going through all the LinkedIn profiles and they will be going through the public if they are able to find any resumes or the RFIs for any keywords like the different tools that are being used within the substations. So they will get a fair idea that what type of systems and what type of different vendors are basically configured within the substations and the active. So when they go for the active reconnaissance, they directly scans the entire infrastructure basically to identify if there are any energy or the engineering portals that can be directly accessed from the Internet, or if there are any exposed VPNs which they are directly, which the organization is directly using to connect to their OT environment. So if the attacker has access to any of these, they can directly get access within either within the corporate network or directly to the OT network. And when they have all these information with them, they. They goes to the next phase, which is the initial compromise phase. So they will try to create the phishing campaigns specific to the identified engineers or the targeted engineers which they want to target from where they can get foothold in a like to the critical systems and if they are able to compromise the VPNs. So recently we have seen in 2025 and 2024, we have seen there are multiple vulnerabilities related to the VPNs so the attackers can directly use those exploits to get access to the OT or the corporate network. And if there are any Internet facing applications which the attackers can compromise so they can get the initial foothold within the corporate environment. So the main focus here is to get somehow get access to the corporate environment or get directly access to the OT environment. Once they have access to the corporate environment, the initial reconnaissance starts again. So this will again focus on the basically elevating the privileges within the corporate environment. So what the attacker does is to identify all the different systems which are connected within the domain and tries to identify that whether the attacker can get any details about the substations or anything related to the the projects which are being deployed in the substations or any tools that are being used in the substations or any type of vendor documentation that is used within the substations and the IP address schema. If the attacker can find about the substations. So entire enumeration related to the attacks which the attacker will perform within the substation is everything is gained or gathered within the IT network. So attacker One was. So if it, if we go for the ttps like attacker will first identify within the domain controller that what all users they have identified through the LinkedIn they will do the reconnaissance again within the domain network that what all that these systems that these users are present within the domain domain systems domain network and they will try to compromise their systems so that they can gain access to their laptop and can gather the details from there. Once they have all the required details they move further from the corporate network to the OTDMZ if there is one, or directly to the corporate or directly to the substation network. And now when the attacker moves to the substation network as we have explained in the blog. So there are like two phases here. One is the technical reconnaissance, one is the process context based reconnaissance. In the technical reconnaissance it's more about identifying how the infrastructure is configured within the substation. And when we talk about the process context it's more like if you have access to the hmi, so what all details you get from the HMI and how you can relate those details in your attack or how let's say if when the attacker compromises the HMI they will get access to the single line diagrams for the substation. And in the single line diagrams you can see it shows you everything about the substation. It's like where are the bus bars configured, where are the different feeders and what is the voltage coming to different feeders and the different lines configured within the substation. So attacker has the idea that how much is the so basically what is the voltage, what is the frequency, what is the current that is being controlled by the specific substation and how they can utilize the these details further to create an attack or to craft an attack that could directly pose impact to the the blackout situation. So they relate each and every components, whatever is getting gathered through the hmis. So HMIS has different screens. So from one of these screens they, they, they gather the details related about about the how the how the electric grid is designed. The second phase will be to go through the different individual feeders. And from the individual feeders they identify that which type of protections are configured for that. And they try to relate those protections along with the protection relays and the logic which is configured within these protection relays. When they have access to all these details then they know what to manipulate or what settings to change to have the high consequence event within the entire substation. So they're not just focusing on the small pieces of the attack, so they are focusing on the large piece that how they can cause a high impact event or which once protection relay or the. The. The or the bay controller they have to compromise from where they can have the maximum impact by within entire substation. So this is the entire entire attack life cycle which is being followed within any type of critical infrastructure that we talk about.

A

Excellent overview there. Let's. I want to take a little step back from a defensive standpoint. If you're a defender, that means what an attacker is trying to do here is get directly to the thing that's closest to the physical world. Right? And the opportunities for detection are much higher up in the stack. You have the network switch, the firewalls, the servers, the hmi, which is probably Windows or Linux Server, right? Or definitely Windows is very pervasive in substations, at least the laptops and the servers that configure these devices. But all the way up through where the configurations are stored and obviously the IT network, there's lots of opportunities to detect these types of attacks before they even get to that level. And so that kind of rolls into hey, how do we detect against these things? How do we protect against these things? And the blog goes in very much detail around detecting these things, hardening the configurations of if your detections fail, what can you do inside the device like inside the protective relay or the subsection relay? How can you protect it even at that level? Anthony, you had your something to say as well on this topic, I think.

D

Yeah, I just wanted to reemphasize one. One of the main things that Saman pointed out is that when you're doing a reconnaissance that's OT related, you're really, really, really focused on the user set that is related to ot. Right. So is it a maintainer? Is it an operator scada? You're looking for those keywords. Your enumeration around shares is also very, very critical on the it side because nine times out of 10 you're going to find some document that gives you information anywhere from just IP addresses all the way down through full sets of passwords. It's very common to find those in SMB chairs. And that'll get you into OT in a very quiet way. You know, we were just. Samat and I were just on a recent engagement. It was just that, right? We searched through a bunch of shares. We found pretty much all the passwords we needed to get all the way down into the OT environment in two different ways. Also Sumat mentioned finding the tools that the maintainers are using on those shares or on those compromised users, desktops and their systems. So for instance, TIA Portal, which is a Siemens maintenance tool, right. You can use that within the OT environment to find the devices that are in the environment. Sometimes if the password is not protecting the application logic, you can actually pull the whole project down. So things of that nature, they're gonna be very hard to detect, especially once you're in the OT side by itself. And you're also using really the standard maintenance tools, right. So there's really in some sense is nothing to detect, especially if you're doing it from a system that is expected to be communicating with OT if you've compromised a user that normally does access the OT environment. Right. So it's very, very quiet or at least very expected. And then finally I did want to point out, once you get into ot, you're going to find largely flat networks. Even though we definitely preach to the contrary. We you preach segmentation, that's not how it is in the real world. In the OT environment right now, not all places are well segmented and you're going to be able to move around quite easily. A lot of times, you know, substations can talk to other substations, even if that's not really necessary from an operational standpoint. And then finally you'll find a lot of basic services open on the OT site. Once you get down in there, you're going to find telnet, you're going to find FTP and unfortunately a lot of these things are configured with the defaults. Right. So the blog does go into that detail, right, where we looking at protection relays that are configured with these default settings that the jumpers were never changed after commissioning the systems to prevent somebody from manipulating the logic or uploading firmware remotely, which is a recommendation in the manual, but isn't necessarily followed by the integrators or by the owners after commissioning the system. And unfortunately once you're in there, an attacker can actually take advantage of that. Right. It's like the system is in its pre commissioning state. We're able to telnet in, we're able to change the positioning of breakers, especially if these again default passwords are used. Right. You're not only looking at default passwords for a standard user, but you're even looking in some cases at default passwords for the vendor. Right. Like it has higher privilege levels and lets you manipulate settings that really shouldn't be manipulated after commissioning, like set points for over voltage and overcurrent or you know, number of auto reclosures which you know, protects against a relay that that keeps on trying to reclose itself with a fault on it, right, that think about when you in your house, you have a breaker, right? And you're flipping your breaker in your house after it has a fault on it, you get a little spark, right? Because it has a load on it. Now imagine a breaker that has 500 kilowatts going through it and you keep on trying to reclose it when there's a fault on it, right? That's obviously very bad. So if an attacker can get in and they can manipulate settings that allow them to do that, that's obviously super dangerous. It's an attacker taking advantage of very, very basic vulnerabilities and misconfigurations. In this case, a couple of things

B

that jumped out to me when you all three were talking about this is, and I know this has been one of the challenges in the past with attribution when we've seen activity from say Sandworm or temp isotope or the actors behind the Triton malware is a lot of these attacks begin like traditional intrusions. If they're hitting the IT side of a large organization where determining the intent, especially if you catch it or detect it at that phase. Is this primarily for espionage or they're just trying to do reconnaissance on the organization? Or is there something more sabotage esque taking place here where they are trying to move eventually over to ot? And it may be an actor that maybe we don't catch actually doing the disruptive or destructive work, but are they gathering intelligence to understand the layout of these systems and networks for something down the road? And then the other piece, I think that kind of hearing, Samantha, some of the things that you were noting is even for a very sophisticated actor who has nation state level resources behind them that maybe has exploits developed, maybe they have an OT test range, they're trialing some of the stuff out. This still takes time to put together and operationalize. It takes time to actually gain some familiarity, not just to move into do the initial targeting, move into the organization's environment, jump over to the OT side, but also gain some familiarity with how they have things laid out, the technologies they're using. So I think it's kind of interesting with all these pieces at play. I know we've seen this in the past where even well resourced, more sophisticated actors can make mistakes along this way as they're trialing some of this stuff out.

A

As far as we know, there's only been three publicly known power outages due to a cyber attack. And they're all in Ukraine in the context of a larger geopolitical conflict. Right. So I'm still more worried about squirrels, to be honest with you. And if you have somebody with this relay knowledge, yes, it's good to talk to them, understand them from a security perspective. Like, what are we doing? What can we do things to improve. We're not ringing the alarm here with this log though. This is just another deep dive to help our defenders that are in critical infrastructure around the world to hey, let's, let's take a look at that. I mean engineers aren't dumb. We've been dealing with failure for centuries. Right. That's why we have these systems that are reliable. You don't think twice about when you turn your switch on, your lights come on, you know, 99 point whatever. Many 9% of the time they just come on, they just work and nothing burns down. There's instances where that doesn't happen and obviously there's a lot of engineering root cause analysis. But there's a lesson learned after all of those. We're trying to help boil those lessons learned into what we've seen as part of our Mandian OT red teams. And that's kind of like what are the top 10 security practices for substation regulates? And that's why we wanted to put that in the blog as well. So there's a lot of other good things that are going on out there. Like nercxip has done a good job of getting baselines for most elect the larger electric utilities in North America. But again, that doesn't apply to everyone. That doesn't apply to every utility, that doesn't apply to non utilities that have substations. You know, like paper mill will have a generator with a substation because that's just the nature of it. They can generate power off of the chips that they make when they're debarking trees, you know. So these things I think is going to have more conversations around. We don't want to raise alarms with this. We just want to give these here, hey, next time you're doing design or improvements to your substation relays, think about these things from an attacker point of view. That will help you not only recover from a bad day like someone made a mistake or it'll protect you in the case of maybe a threat actor does decide to start targeting these systems on a more regular basis than just what APT44 or sandworm team has been doing.

B

And Anthony, I like that point you made earlier about getting engineers to think about things from kind of a security mindset and framework even again, Chris, with as you kind of noted, the ever present cyber Squirrel incident being the more likely cause to run into today. But when you think about some of the things that you know in some of the environments you've been in, some of the things that defenders get wrong and where, you know, you have a list of these 10 security practices, we don't have to go through all of them, but where you see kind of the most value that can be gained for closing some of these security gaps. What are kind of the areas that you see as some of the biggest challenges in the space? Obviously resourcing can be one, but what are some of, you know, given these resource constraints, what should organizations, should defenders in the space be looking to kind of close gaps around?

A

I'll take a stab at it. I mean, without reading everything from the top 10, but making sure remote access is controlled and monitored to these systems, making sure that these systems have good backups and good critical spares. This often happens organically because things fail. But having those is gonna help really reduce the risk. If you can control your remote access, hopefully two factor, or if the second factor is physical, good physical security, that that is important. The rest of the things are like disable unused services. That just makes sense.

D

Yeah. The main thing that I think we see is defaults, right? Like insecure defaults. So the simplest thing you could do is go through your environment and change those default passwords. That's the lowest hanging fruit, easiest to remediate in a lot of the cases, especially specifically with protection relays we see even jumper settings that can be, can be made to disable some of the functionality of the device that's not needed after a SCADA system is overlaying it or another grid management system or whatnot. These should be looked at by the engineers after commissioning and disable what you can while making sure that you've got everything on that you need to operate safely and conveniently but securely, maybe to

B

kind of tie things together. Any final thoughts? I'm going around the horn here. Any sort of areas of further research that either yourselves or you would like to see from others to kind of advance this topic. Any sort of predictions or thoughts as to how the kind of threat landscape around this will, will continue to evolve. Any sort of final thoughts to close us out here?

A

You know, the final thoughts is for those that have been doing this, been doing relay security for years because of, because of NERCXIP or otherwise, we appreciate you for doing that. A lot of these things are unsung hey, we're just trying to do the right thing. And so for those that haven't been doing it, I encourage you to reach out. We have a community out there in OT security, ICS security, there's conferences out there. Get involved, reach out to us on social media, on LinkedIn and ask us hey, how can we get involved and plugged in increasing your level of awareness around securing these substation systems whether you do it today or not. I think we all can learn and share from sticking together on these topics

C

and apart from that so whatever we have focused. So our main focus was around the production release but there's a lot that we can cover under the TI ISO transmission system operators. So if we talk specifically about the. There are like remedial protection, the remedial action schemes which also triggers when there is a lot, when there is a, when there is any fault arises in any of the entire, any of the places of the entire grid within the entire country. So we haven't covered that part and there are like more components to it like the automatic generation control and the, and we, and when we think about talking about the transferring the or transmission of electricity between the two different countries then there are like different components like HVDC that comes into picture. I guess the, the further research that we'll be performing will be focused on the entire TSO as a whole. Not just the production relays but it will cover as a whole the entire TSO for the entire nation.

D

And I guess just a final thought for me is that I know we're focused on protection relays in this blog obviously but there is a lot to apply to other special purpose solid state devices that have replaced electromechanical systems across critical infrastructure. These lessons, these best practices really do apply across the board in a lot of cases. In most cases I would say.

B

Well I think there's a lot more obviously we didn't get into today that's in the blog. We'll include a link in the show notes to that. Highly recommend folks read that or share that with anyone that you know that works in this space. You know I think kind of I'll make an analogy to you know, what we've been seeing with scattered SPIDER and organizations reaching out and working with their help desk to help inform them of that or the North Korean IT workers, you know, security teams reaching out, helping train their recruiters and HR folks around this threat. I think there's a lot that can be done where security practitioners can reach out and work with you know, non security oriented engineers in this sector to help improve security as a whole and make them an extension of that same goal and effort they're working towards. So thank you all for sharing your kind of perspective here. Again, great blog. And to the other authors who worked on it as well, as I mentioned, we'll include a link in the notes and everyone take care.

A

Thank you.

C

Thank you.