Subscribe
Share
Share
Embed
Threat Talks is your cybersecurity knowledge hub. Unpack the latest threats and explore industry trends with top experts as they break down the complexities of cyber threats.
We make complex cybersecurity topics accessible and engaging for everyone, from IT professionals to every day internet users by providing in-depth and first-hand experiences from leading cybersecurity professionals.
Join us for monthly deep dives into the dynamic world of cybersecurity, so you can stay informed, and stay secure!
What if you were the CISO of the city and have the power to control everything within the city? Wouldn't that be awesome? That's not reality. Right? Or is it?
Speaker 1:Because there is actually a city with one c CISO. It's not a city in a traditional sense, but it's a whole airport, DFW Airport Airport we're talking about today. And I'm thrilled to talk today about everything that's there. If you are a CISO of such a huge, huge organization, we're we're gonna learn all about it and all the challenges that are in an environment like this. Welcome to Talks.
Speaker 1:My name is Louis Jan Koning. And here from our office in Plano, Texas, we bring you the next episode. Let's get on to it. Welcome to Thread Talks. Let's delve deep into the dynamic world of cybersecurity.
Speaker 1:Let me introduce our guest of today. His name is Eric Baumann. I'm thrilled he is here. He is the CISO of DFW Airport, and he's has decades of experience in IT, OT, cybersecurity. He's most of his days been ex responsible for anything security in his organization.
Speaker 1:So that's that can be a a big big task to to to fulfill. Big burden maybe. We'll find out today. Eric, welcome. Welcome to our to to our podcast.
Speaker 1:The first thing I I I read, there is a thing in DFW Airport. It's called an OAN, an officer area nether. What is that?
Speaker 2:Well, what we do with that, the police officers that we have at DFW, they have a variety of sensors on them, and part of that is whether they, you know, pull their sidearm or whether they have their taser or their body cams. We even have rings monitoring health and stress and things like that. So all of those have to stay connected not only within the officer on the officer himself, but also connecting back to their vehicle and up through our our computer aided dispatch and such.
Speaker 1:So any officer in the that you that we you may see in the airport has multiple IP addresses then?
Speaker 2:Yes. Basically. Yeah.
Speaker 1:That's really cool way to think of that. Welcome once again. Yeah. DFW Airport. Let's can you explain a little bit?
Speaker 1:Because we're not talking about officers. I mean, most people probably think that DFW Airport is about a few shops and a terminal and a few airlines that need Internet connection, but it's much more than that. Can can you enlighten us a little bit?
Speaker 2:Sure. So there's 28 square miles basically of DFW. It's bigger than the Island Of Manhattan, so the the airport itself is is bigger than one of the boroughs in New York. We do have, you know, a lot of folks that work there. Interestingly, only about 2,300 ish at the airport itself, but about 63,000 doing support and, you know, concessionaires, airline partners, etcetera.
Speaker 2:So there's a lot of folks that work there. It's a twenty four seven shop, but we also don't have any residents, which is honestly kinda nice for a city, you know, not having anybody to worry about. No elected officials, obviously. We're more of a a board type of city, but we are our own city with it.
Speaker 1:So you have a city in the sense that you have a police police department.
Speaker 2:Police, fire, aviation security, obviously, so that they can help with aviation worker screening as well as vetting folks for their side of badges and and things like that so they can get in and out of the airport with the appropriate levels of axles.
Speaker 1:I mentioned one of the few things that sets you apart from a regular city is that you do do not have to worry about home DSL lines and stuff.
Speaker 2:For the most part, yes. Yeah. We the only ones that we have to worry about now are whether our concessionaires need access, but they on ramp through us. So we kind of act as an Internet service provider to them within the terminals and such.
Speaker 1:Mhmm. So, yeah, we we that's an operational nightmare, I would say. I mean, there are so many different is there is there such a thing as a DFW network, for example, like IT network?
Speaker 2:There is. So we have actually several different ones. We have our corporate network, which we have subdivided, of course, into, you know, different subnets and such. And then we also have, like I said, the concessionaires network where we run most of the not only concessions, but other, you know, third parties through that that need Internet access, but they don't need access into our servers or our systems. So we we try to push them onto those.
Speaker 2:We've also recently have a released our five g cellular network around the airport. So Mhmm. Right now, that's running a couple of the large size. If you're in DFW, you've probably seen those at either end of the airport, but they also there are also a lot more opportunities for that such as IP cameras, you know, that are in isolated areas. You know, maybe we put those on solar, but they can communicate back through the five g network.
Speaker 2:So we're looking at a lot of connectivity options just to try to reduce some of that cost.
Speaker 1:Mhmm. So that's probably on the plus side. You compared to a city, you actually you control every potentially, at least, everything that is there on the infrastructure. So it's fiber. It's indeed the five g and all that.
Speaker 1:Exactly. But I can imagine how I mean, if if you're in an organization that is of the same size, then you can deploy technologies like Mac or firewalling, North Star Firewall, all those kind of things. But I can imagine that's harder because there are companies that are not necessarily you that it's a today, they have a mind of their own and maybe they wanna connect their own stuff. How do you cope with that then?
Speaker 2:So the way we we've approached that is, again, we kinda have that that isolated network for the concessionaires and third parties. And I won't say it's Wild West, but they can they can put their own on ramps, their own firewalls, routers, etcetera on there. Within our network, we absolutely do have network access control enabled, so you have to have certificates to get on the network. It has to be one of our types our devices that we manage. Anybody else, maybe they can get on guest Wi Fi if they haven't done it too many times.
Speaker 2:So, you know, there are some options there, but we do lock it down pretty tight within the terminals as well as within all of our, you know, Department of Public Safety offices, our headquarters offices, etcetera. So it's we we have more control over those. Is it know, within the different, I would say, departments within our organization. So, you know, each one of those, marketing, we still have marketing, HR, etcetera. They all have their specific needs.
Speaker 2:And sometimes you have to get exceptions for those, but for the general part, everybody's able to comply with our needs.
Speaker 1:What things do what what what operational issues do you have that nobody else has that you have to had to find a new way that have invent something new to prevent that threat from happening in that area? Airfield lights. Absolutely.
Speaker 2:All the little lights that are out on the airfield, they apparently have certain amounts of vibration that we're looking for and they can only tilt so far one way or another before they're out of alignment and the FAA needs us to go out. So one of the projects that we're looking at is can we put a, for lack of a better term, a smart light out there that gauges whether it's vertical or whether it's leaning a little bit, what the degree is. Do we need to go out and adjust it? You know, is there something wrong with it? Should be a gyroscope in there.
Speaker 2:Kinda. Yeah. It'd probably be something like that.
Speaker 1:Are those the lights when when approaching that the the red and white ones that that so by the way, those are the edges of the
Speaker 2:white lights and such. And when you're they're guiding the planes to the apron.
Speaker 1:So what's the what's what's the risk then of of of that not the the security risk here? Because are you concerned about a bird clashing into it, and therefore, it's like a like a health issue? Yeah. Or is it more are are you also worried that hackers get in and then change the change the tilting or Yeah.
Speaker 2:That's the bigger concern that I would have. And not necessarily that they get into it, but they're able to turn them on or And that would be more of an issue, I think, than, you know, whether they're adjusting the the the tilt on them. We, of course, we have to get some telemetry out of these systems in order to determine is the light bulb working, is it burned out, do we need a replacement, does it need adjustment? But we really try to prevent anything coming in, so finding solutions that help us with that. And right now, this is very, very early stage for us.
Speaker 1:Well, let let's talk a little bit about it because we we talk to a lot of customers who have some form of OT problem. And generally speaking, OT is behind in terms of security measures, a, because it it's always been part of the of the the the the plans or the the the the physical engineering location or whatever whatever OT is used for. I mean, in harbor, for example, or in ships. And it has always been like a bit air gaps. Right?
Speaker 1:So so people didn't really worry about it, and availability is more important. I'm sure airport is the same. It's more important than it's always online. And if since it's disconnected, who cares? Because, yeah, you gotta have an enemy that can make Stuxnet for you to to get into an off off line system.
Speaker 1:But I can imagine, like you said, telemetry is one. This is more and more connected. So it's not simply we need to have some kind of IT measures maybe also learn from the IT department to apply the same countermeasures. How does this work for DFW?
Speaker 2:Yeah. It's it's an interesting question. So we were able to isolate everything like you were talking about in the past, but now everybody wants to have the telemetry that comes off of those devices. And a lot of it is to feed digital twin technologies. So we're able to feed it in and it's allowing us to help do predictive failures, predictive analysis, or perhaps when we send a work order out for someone to go fix an HVAC, it says you've got this part to fix, but this other one's getting closer to failure.
Speaker 2:So why don't you just save some time, replace both, and we don't have to worry about going out the second time. So that's one reason to feed all
Speaker 1:that stuff. That's read that's read traffic. Yeah. So you might argue, we'll just read and we'll put some kind of gate in in there that only allow data in in one if that's possible at all, but it's debatable maybe.
Speaker 2:Diode. You could do it Yeah. That Yeah. I've seen it done with Digital dye. With fiber.
Speaker 2:You just only have the one one way fiber, and you don't allow the other back end so that So then from from
Speaker 1:a manipulation standpoint, it's still kinda aircapped.
Speaker 2:Yep. Exactly. Well, I'm I'm guessing it doesn't end there for you. No. We still have a lot of a lot of systems that not only do we need to allow them to have that telemetry coming out, but, hey, we wanna go ahead and have it connect into other systems.
Speaker 2:So there's a lot of that interconnectivity that we try to work through and try to make it as secure as possible, but we're at the end of the day, we're trying to move passengers, planes, and bags. So as long as we're we're able to keep those moving, I think that that's that's really the end result. Now, of course, if there's something that we think is just gonna be catastrophic, of course, we're not gonna allow that to happen, but we do, just like everybody else, have to balance that security versus, you know, the the business need.
Speaker 1:Mhmm.
Speaker 2:And how bad do we need to get either the data out or something pushed in in order to do a change.
Speaker 1:On a very operational level, how do how do you do this? Because most of our relation patching is everybody knows you need to patch related things, but those lights, probably really hard to get a get a stable firmware there, and when do you patch it? So there's not really an option, so there's different different countermeasures you need to take. Can you speak a little bit to OT specific strategies that you that you apply?
Speaker 2:Yeah. And I've I've actually hired someone to do my OT security for me. He's got a lot of experience with oil and gas, manufacturing, food products, etcetera. So I was really excited to be able to to bring him on board. So first is hire somebody that knows what they're doing and has a lot of experience, but I've learned a lot from him in the past few months that he's been there even.
Speaker 2:He's really come in, dropped in, taking control of it, Doing the Purdue model and such, which I think you guys have talked about before, but isn't always practical because you can't always have that isolation and that separation. So you do have to figure out, well, what am I gonna allow to go between those layers? What am I gonna allow to go outbound and inbound?
Speaker 1:And not only that, what often strikes me there is that the Purdue model is it it it is layered in a sense that we have but there's many different products that are in the same layer at the same time. And if we're talking about segmentation from for sure, just perspective, for example Yeah. It should be it should be segmented the other way. So all the systems that all the lights should be all the Purdue layers can be from from the lights can be in one security second protector as we call it. But Yeah.
Speaker 1:And and we do this over and over again for different systems. Reason is if if one system goes down, then at least there's no contamination into the other one. But it and that's not compatible with the
Speaker 2:That's actually what I had. I think it was week two when I was there, something like that. It was it was really early when I joined the the airport, but I got brought into a conversation with smart restrooms. And I I kinda thought it was a joke, and they said that I was the Smart restrooms. Yeah.
Speaker 1:Can you explain? That's that's awesome.
Speaker 2:Lets you know how many how many available restrooms are open within a given area. So you can go in and say, oh, I'll just go on to the next one, or now this looks like it's open. So sounds silly. It actually works. People like it, and it it helps in the long run.
Speaker 2:But my thought was I don't want somebody if they're able to get into one of the sensors or one of the PLCs in that area, I don't want it to suddenly be able to pivot to Yeah. Concessionaires or some other other type of
Speaker 1:availability not being not not in my DFW app is probably not my biggest concern. I'd rather if I can choose, I I have one deck to fill and not the planes.
Speaker 2:Yep. Exactly. Yeah.
Speaker 1:So how but that that sounds like a complete redesign.
Speaker 2:It's not so much. So with the current technology that we have deployed for networking, we're able to do the segmentation. Yeah. There are some modifications because in some in some cases, you would have to go re IP a segment, but in others we might not. We might just be able to split it and say, hey, this is, you know, now a smaller segment of IP addresses than it was.
Speaker 2:Mhmm. So maybe to change the network mask or something But to that we are trying to get more towards, hey, on new projects and such with that are coming in, make sure that those are by design, you know, on the segmented network, make sure they're all updated.
Speaker 1:So the key point here is that if if if two devices do not have anything in common, don't have the top three server, you make sure it's impossible for one for for communication from one to the other is
Speaker 2:Or you can. Absolutely. Yeah. I mean, may be impractical. If you only have one widget that does a thing, then maybe it's impractical to make it its own subnet.
Speaker 2:Mhmm. But maybe groups of widgets that don't only do one thing should be grouped together so that they're all together. Yeah. But trying to prevent, you know, lateral movements even on the PLCs and on some of the other OT equipment is really critical, and I think that that kind of flows in with some of the zero trust stuff.
Speaker 1:Oh, yeah. So it's it's it's it's textbook zero trust if you ask me. Actually, next week, we'll have a discussion with doctor Chase Dunningham who was really proficient in all this. I'll ask him what he thinks of the Purdy model when I when I when I meet him. Yeah.
Speaker 1:Okay. So in a to get there, so the the transition, you you say wasn't all that hard because you could reap with VIP a little bit without disruptions apparently, and the rest is regular life cycle management, I guess. So if there's a new version of something, you'll you'll implement it the right way. Is that is that how you're so it's a longer term planning.
Speaker 2:Well and and to be clear, the decision to do something is really easy because that's easy for me to say, hey, go take care of this. The actual implementation takes a little more planning. Of course, we being in airport, we're up twenty four seven and we need to make sure that we don't have any disruptions with any of the devices. Now the nice thing with operational technology is for the most part, it will continue operating even if it can't connect back to its management systems or other PLCs and such, at least for some short period of time. So even if we take them offline for a bit, we're able to move them over to a five gs network.
Speaker 2:We're able to move them over to a different network segment. So I I think that that's very beneficial for us. Mhmm. Mhmm.
Speaker 1:What about detecting what's wrong? I mean, I'm I I'll be the last person to say that the first thing you should do know? The first person to say that the first thing you should do is is apply this this segmentation. So, I mean, if you can do prevention, you always should, I think. But there are certain certain things that doesn't mean you're never looping what's going on or or and maybe there's part of your network that you're that you're less proud of or that that happens everywhere.
Speaker 1:So then detection is the is the thing. How how do you do that? How do you make sure that you know the Russians are in Zotongo or not? Well, nation state actors are
Speaker 2:a little different different animal, but for any others that that may look for compromise, we have a lot of intrusion detection. We do employ honey pots within our network. We do, you know, with the with the segmentation and such, lots of internal I won't say laws. We have internal firewalls. So we're able to prevent certain areas from talking to other areas within that.
Speaker 2:And if something does move down the chain, we have that layered defense. And I know that that's an old you know, everybody's tired of hearing layered defense and all that, but
Speaker 1:Doesn't make it less true. It doesn't
Speaker 2:make it less true. That's right.
Speaker 1:Yeah. Okay. So it's all you're it sounds like you're doing almost everything by book, at least a modern book of prevention and and it's actually at the same time.
Speaker 2:Yeah. I agree, and and it's nice because when I came in, when you're when you're going into a new environment, you don't really ever know quite what you're walking into. You know, you know what you've been told during interview processes and such. So I, you know, the past few times have taken a good ninety days to identify what do I need to do, what's going on, is there anything I need to change, you know, what do you what do you keep, what do you invest, and what do you divest? So, you know, trying to figure that part out.
Speaker 2:And honestly, I was here, the program was very well built and the only thing really missing was that OT person to manage security. The folks managing all the OT devices, they already knew, hey, we need to protect this stuff because if these things go down, baggage handling system, baggage reconciliation, then we have a lot of problems. So we wanna make sure that all of that stuff is operational. The biggest one, I think, that is visible to everyone is the flight information display system, and that is where you find your gate and what flight, and is it on time, or am I delayed? So with those, if those happen to not be available for some reason, yeah, we could go to paper, but that becomes very very tenuous at best in order to get the accuracy that we need.
Speaker 1:I can imagine. Yeah. To me, the airline industry is always an example of how we should perform in the cybersecurity vendor worlds. Why? Because there's no room for error.
Speaker 1:Any every casualty is is one too much, and and and, honestly, we're not doing a very good job because it's it I started my job twenty years ago, I thought, like, well, as soon as there's gonna be in the news leaked after leak after leak, then probably people will take it seriously. It's not the case, honestly, because it's they're numb almost to to other all of but the the I can imagine that also in DFW, you inherit some of that that mindset of of of airlines that that that everything should be perfect all the time. Is that so? And does it make your
Speaker 2:job easier? It does not make my job easier. Really? I won't just flat off say that. Okay.
Speaker 2:But, you know, we do we are considered critical infrastructure. You know, we're the second busiest passenger airport in in The US, third in the world. So we know that if we have any impact to flights, that that has a lot of rippling effect throughout not only The United States, but also with international travel. So, yes, we take it really seriously. Now, one of the things that we try to do, and has been more of the mantra the past year that I've been here, has been building that resilience.
Speaker 2:You know, being able to take the punch, but be able to work through it and, you know, continue forward. You may lose a piece, but is that really that critical? Does it still, you know, are we able to recover it at some point? I think a big big point is, you know, if I lose email, does that still does that impact my my passengers being able to move from one gate to another, board the plane, and depart, and make sure that their baggage is with them whenever they get on that plane? So being able to understand what are my critical systems, what do I really need to protect, and then the rest of this stuff, yeah, it's important, but it's not life safety, passengers moving, airplanes moving, bags moving.
Speaker 2:So, you know, those those are kind of the criteria we look at for is this critical, and is it a focal point?
Speaker 1:This is actually what I mean because many organizations would love to have this. But you're saying it's it's it's it's not easier. Oh, okay. But your people your people understand this, that that that's how how important security is. Yeah.
Speaker 1:Yeah. Absolutely. So
Speaker 2:when I got there, we had there's a building we call the Integrated Operations Center and they had this really cool display up that has a picture of the airport and it has all the aircraft that are taking off and landing, whether they're departing, they're a different color than if they're arriving. Right? And I saw that and I said, that's really what the mission is. And I I think sometimes the the team, when I got there, we were kinda doing cyber for the sake of cyber and, you know, the IT was, hey, we'll we'll do IT stuff. You need more thing, you get more thing, you know, whatever happens to me, more servers or more network or wherever we need to do it.
Speaker 2:And the mission was really, I won't say lost because I know that a lot the people take it very seriously, but I had a TV put in my room so that I could put that display on so that when I do have people come and visit, they see it and they go, oh, what is that for? And I said, it's a reminder that that's why we're here, not why we're making a new you know, application allow listing or or we're doing something else to impact these folks.
Speaker 1:You connect the business constantly with the That's mission and the business with the day they work. That's right. How important is educating your employees? Oh, I think it's huge.
Speaker 2:That is massive. I mean, we security awareness is alive and well, I'll put it that way. It depends on how you do it. Some people will react well to online training. Some people react better to in person training.
Speaker 2:So and it's not everyone is equal, especially within the city. So with our knowledge workers or our traditional office workers doing online training, no problem. They can take care of all that. With some of our other folks that aren't on a computer all day long, they aren't able to quite connect why cybersecurity is important to them, so we bring it out to them. One of the folks that we brought on board, she was able to go out and talk with our fire PD and our aviation security
Speaker 1:Mhmm.
Speaker 2:Meeting them on their training times when they were available on their shift changes and such like that, and make it where it's more accessible to them. So when she's training fire, there are images of the firemen. There are images that they're relatable to, and, you know, she was able put some really interesting things together for analogies. You know, hey, this is cyber security's related to fire and here's how. Mhmm.
Speaker 2:We actually received more compliments from the firemen than I truly expected. They actually sent in saying this is the best training I've had in fifteen years, you know, oh my gosh, she has to come back and do more training for us, things like that. The really interesting part was I was expecting a drop in their scores. I think I was expecting their scores to get better. What kind of scores?
Speaker 2:Their phishing tests. Ah. So we do monthly phishing testing. I know that there's a big debate whether that's useful or not, but we do. Mhmm.
Speaker 2:And they didn't do so well in in DPS, but I was amazed by the improvement after going out, having that in person training, and the delivery that meant something to them. I mean, it was a very significant drop, much more than I was anticipating. I think I just about fell out of my chair, I'll be honest. Really? So, yeah, it was it was huge.
Speaker 2:And we still have them say, oh, I remember she came out and did this training for us. I wasn't I'm not supposed to click on things like that. And I get stuff from from my chiefs out there that say, hey, I I got this. You know, is this one of your tests or is this something I should report?
Speaker 1:So How often do you need to retrain people in your experience?
Speaker 2:Honestly, what we've done is just we do it annually, but during the fish, if you fail it, we'd have a short training that we're trying to go through. Oh, yeah. We're also looking at some different technologies for that that are more human risk based and I think that that is a really interesting way to go. So as they start doing having behaviors perhaps that aren't aren't really cyber safe, then it might pop into teams and say, hey, why don't you take this little two minute video here? Or, you know, everybody's on their phones all the time.
Speaker 2:What if we could publish something that's a two minute little video that's more like social media
Speaker 1:Excuse me.
Speaker 2:Than, actual, hey, we're gonna do this training. So, you know, if can meet people where they're at and provide that training, I think that that's really important and adapting. The hour and a half long guy that's rattling on and droning on, not useful anymore. Nobody wants that.
Speaker 1:Yeah. So you adapt to your public. That's the biggest takeaway, I think. Yep. Yep.
Speaker 1:Let's talk about let me take a level more abstract or more more strategic because what you're what you're explaining is there's a lot of things you actually do, right, whether it's user training, whether it's segmenting your network, whether it's we didn't even talk about patch management or multifactor authentication, or we could have we could talk for a couple of hours again.
Speaker 2:And that's everything. That's right.
Speaker 1:Yeah. Exactly. But but you actually you you do this as a SITO. That means that you have you you you you can actually make an impact on DFW, and maybe that's part of because DFW is really aware that and it's so important. Can you speak a little bit on how that is organized in in your and and and maybe also what the role of the CSO should be in organizations like you?
Speaker 1:And the reason I'm asking is, recently, someone came up to me and said, hey. Listen. The CSO and the CFO, they are both in the boards. They're not everywhere, but shouldn't they have equal powers then, dude? So shouldn't we expect this?
Speaker 1:Yeah. Because if the CFO says, yeah, we're gonna divest this or we're going to not do this merger or whatever, everybody listens because this is the person who knows their his finance stuff. So it it's a mandate. Right? But often, we don't see this with CISOs that they don't get that that they they know they're talking about.
Speaker 1:I mean, that that's what they're educated for, and that's what their their experience is, etcetera, but it's not sometimes it's the IT manager or the procurement manager or even the CEO that calls the shots, and I'm interested in your opinion about this. I realize we might be polarizing a little bit because there's many different opinions.
Speaker 2:Yeah, there are. There's a lot of different opinions about it. But I think one thing that I am extremely fortunate about or at DFW I'm fortunate for is the executive support that I receive. Mhmm. You know, I've I've taken it as a I have to be very a a very good steward with the resources that I'm provided, not only funding, but also personnel and just that that trust that I have.
Speaker 2:You know, it it's it takes a while to get that from other leaders because they wanna make sure that they understand where you're coming from Mhmm. How you're going to react in certain types of events and such. I think I've built up some of that political capital at this point and I've proven that I'm trying to be a good steward with the resources that I've been given. That being said, I have very good support from not only the CEO and all the executives, but also the board of directors. You know, if we go in and we make a reasonable enough case that this is the risk that we're trying to avoid or we're trying to reduce and this is how we plan on doing it, here's all the things that we've looked at.
Speaker 2:Mhmm. You know, here's three things we've looked at, three different tools or three different types of of way to solve the the risk. And as long as we can back it up, they seem to be reasonable for it. Now if I go ask for a billion dollars, they're probably not gonna get Yeah.
Speaker 1:But then the CFO the CFO asked for a billion dollars, they will also not get
Speaker 2:Oh, you know, we haven't we're we do a lot of construction. So, you know, the b work is turned around a lot there. But, you know, for my stuff, I've been very fortunate. Again, I I don't have nearly as much to protect as some of the private sector stuff. You know, some of the businesses that I worked in, we had a lot of folks that worked there, lots of accounts, lots of machines.
Speaker 2:When I was at McAfee, you know, we had maybe 8,000 people, but we probably had 25,000 servers and workstations.
Speaker 1:Yeah. But you didn't have planes in the air to need
Speaker 2:to But I did not have planes in the air. That's true. But we did have support for airlines and all critical infrastructure. Mhmm. But I I I think that I've got great support.
Speaker 2:Now, as far as the the role of the CISO, that's one of those huge can of worms that that gets hotly debated. The way I look at myself, and I can't say that I am the perfect be all end all or the ideal or anything else, but the way it's worked for me is I started in tech support, worked my way up through a bunch of different positions. I've ended up at CSO, and be careful what you ask for so you will get get it sometimes. Mhmm. But I was able to retain a lot of the technical.
Speaker 2:I did realize in my last job that I needed to relinquish some of that so that I could focus on strategy and more of that relationship building with my peers within the rest of the business. So I've done that with this job where I told them, don't give me an a account. I don't want access to anything. If I need a report, I'll ask you for it, or if I need access to something
Speaker 1:really helps you both in not only your job that you have the technical background and the the knowledge of what the operational guys actually do, only helps you in gaining credibility then and to the board and everything so they understand that you really know what you're talking about.
Speaker 2:Yeah. Well, and it it it provides that level of trust for my folks. All of my team members know if they come to me and say, I think we should do this, you know, I may have a different approach to it, and if I think it's gonna be negative, then I'll We'll discuss it a little bit and make sure that they understand what they're actually wanting
Speaker 1:to Better
Speaker 2:judge of what they're saying. But I will absolutely back them up, you know, if it's If we do something and perhaps there's a little negativity that goes along with it. As long as we're doing the right thing with the right reasons and we tried the best we could, I think that that's the important part. As far as me being technical, I have absolutely tried to embrace the executive office. So we'll we'll see how that ends up working, but I do find myself falling back into
Speaker 1:No. No. And network routing never never gets old. Amazing. Yeah.
Speaker 1:There's two more things I'd like to talk about. One is one is resilience training because I can imagine if you want to do a practice or a or a practice security incident or anything, you mentioned several times DFW Airport is a 20 for seven operation, so we can't really imagine shut stuff down and then try to simulate in in in an instant. How do you do this?
Speaker 2:Yeah. That's a great question. Tabletops. So a lot a lot of tabletops. And then we also That's a lot?
Speaker 2:We do four a year. Now that doesn't sound like Four a year. Yeah. But it's trying to get coordinated with all of
Speaker 1:our
Speaker 2:executives. You know, a lot of our c levels and senior executives will come to these and at least watch the participation if they're not actually participating. I know that talking with some of the other airports, they run a lot more than I do. They run at least they said about one a week, I believe. I'm sure that they have a few weeks there, obviously, that they're not during, you know, holidays and this, the other, but that would still probably be, you know, thirty, forty a year and that's amazing to me.
Speaker 2:I I really have respect for the folks that do that. Now what we've tried to do is gamify some of it, reduce it to just my team
Speaker 1:Mhmm.
Speaker 2:And just cyber and say, okay, what would happen if we lost this control or that control?
Speaker 1:Mhmm.
Speaker 2:And that also plays into our resilience, governance, risk and compliance folks. You know, they start looking at and go, oh, we didn't consider that, or, yeah, we have a contingent plan for this already. Mhmm. You know, here's the DIA.
Speaker 1:So to be clear, what you're doing is you're you fake practice that there is a certain system not working. That's right. And now what? And then someone is prank prank calling almost. Yeah.
Speaker 1:There there's a whole line of passengers that can't get past security, which is stuff like that. Yeah. Yeah. So make it as real as possible.
Speaker 2:Yeah. We have a we have a large activity that we're gonna be doing for FIFA coming up this year, so it'll be pretty interesting, I think, to to see the different departments, including DPS, coming together with us to identify, hey, we have an event going on. What can cyber do for us? How can we support each other in this even more so than what we're doing currently? So I think there's a lot of opportunity there to work with all my partners and build that trust more.
Speaker 2:The chiefs over at our DPS, that was one of my focal points because they felt like they were one of those I call it an underserved business unit. Right? They had a lot of technical needs. They didn't seem to be getting a lot of attention. So just me going over and talking to them, not even necessarily about cyber, but, you know, hey, what kind of technical problems are you having?
Speaker 2:What kind of technical issues, you know, what needs do you have? How about your fireman? You know, what what happens when they get in the back of an ambulance? You know, do they log in? Does it take them five seconds?
Speaker 2:Do they need to lower that to a badge tab or or something more practical? So, you know, just having the conversations with your peers, getting to know people is is Yeah.
Speaker 1:So it's more than just practicing in disaster. Exactly. So it's a constant constant communication. Yeah. Now there was a while ago, it was the CrowdStrike outage.
Speaker 1:We've most people in the in cybersecurity have been working nights, them again. How was that for you?
Speaker 2:Fortunately, we, as the airport, weren't affected directly. Obviously, our airline partners were at least several of them were. Some of them had to cancel either a big chunk of flights or all of their flights depending on, you know, how many actually came into DFW that day. We were activated over to the integrated operations center, and then we were just calling our vendors as cyber to make sure that they were still able to service our needs. You know, that their cloud wasn't down or our SIM was still running or, you know, this, that, the other thing.
Speaker 2:Our our our MSSP was working. So we still had to go through our tree and make sure that we were safe and then be reporting to the CEO at the same time, making sure that he understood what the status was at the airport. Other airports weren't quite as lucky as we were, and like the flight information display systems we talked about, that's how I know that you go to paper because theirs were down
Speaker 1:Mhmm.
Speaker 2:And they were writing them on the big giant Post it notes to post on, know, the the columns and stuff.
Speaker 1:It was a real life exercise then.
Speaker 2:It was exactly. And, you know, it's something that I bring up to my folks. Let's remember what happened, and how do we prevent that from happening in the future? And if it does happen, do we have the big giant Post it notes just in case?
Speaker 1:I was curious, is there anything you changed after that you can share after this this event happened? Nothing,
Speaker 2:really. We were able to That's good. Through it. We did evaluate it and then decided, you know, do we need to have a different strategy with our endpoint security? Do we need to have you know, to change anything?
Speaker 2:And while we already have a couple of different endpoint vendors for various reasons, we didn't feel like we needed to change the strategy at all at the time. Now we did go through and and look at configuration changes and are we doing ring deployments on all the ones that we do have just to make sure that we weren't in the same situation where if they did Yeah.
Speaker 1:Ring deployments wasn't possible before, right? Yeah. Now it is luckily. They find it luckily changes it. Exactly.
Speaker 1:Yeah. Okay. Clear. Let's talk a little bit about the future. You mentioned digital twins Mhmm.
Speaker 1:Earlier. How does that help you?
Speaker 2:What what what are your plans here? With the we have an existing one that's more for our facilities, this this building automation systems, you know, more the operational side, more the operational technology side. What we feel that that is going to bring us is that predictive capability to understand when something may be reaching that meantime between failure and could have a negative impact on us. It also gives us, you know, some proactive capabilities of sending folks out saying, hey. Just go take a look at the thing, you know, make sure that this is working properly.
Speaker 1:And and this is where you have OT and and have their their metrics, the telemetry in a central system that you can then query there instead of have to do this in the physical world, making sure that you I mean, if the digital twin gets hacked, that's less of a problem, so then you you have more capabilities there. That what
Speaker 2:it is? Yeah. Exactly. And then on the IT side, since I've seen what the capabilities are on that OT side and doing that replica, I would like to be able to see something like that for the for the IT side. You know, do we have either a twin of the network or at least some sort of capability to say, here is the version of, you know, the the operating system that we're running on this thing, the application, etcetera.
Speaker 2:You know, what what does that look like if we lose it? Or what happens if we lose a a switch upstream or a router or a firewall?
Speaker 1:Mhmm.
Speaker 2:You know, and if that's a critical system, all of those things in that chain are critical systems, so therefore Mhmm. You know, we have to make sure that we patch and maybe do maintenance on those devices carefully or flop to a backup or, you know, how do we do it?
Speaker 1:Yeah. And figure out which what is a safe what is a safe place to start rolling upgrades or something because you know you understand the traffic and all that and validate that the traffic is not on this switch before you reboot it, all that stuff.
Speaker 2:Yep. 100%. We do Doctor testing also. I think this kinda goes back to your question on resilience. We actually do live fire Doctor testing.
Speaker 2:Yeah.
Speaker 1:You have to do it when the the airport is operational,
Speaker 2:It's scary. And we're able to. So we're able to flip from one system to a backup system and then let it run for a little while and then flip back. So it's my team has done a great job, I think, with that, and I I brag on them every chance I get because of the number they're able to hit every year with that, and it's just time racing. Yeah.
Speaker 1:And, yeah, I always think of chaos engineering here. I I I love that concept that where you're where you're deliberately costly in production, breaking things, and therefore get used to resilient, get used to failovers, and get used to that. Many organizations are really scared on doing a Doctor or migrating temporary to another data center because they need to replace a switch or whatever. But if you're doing it like this and constantly changing, then then it's it's a it's a habit.
Speaker 2:Yeah. Exactly. It wouldn't I think Netflix had that with their
Speaker 1:Netflix coin. Yeah. Yeah. Casemonkey. Yeah.
Speaker 1:Killing containers in the network. Yeah. And then the automatic password.
Speaker 2:I'm not to that stage I don't think I'm prepared to go there. But, you know, doing the doing the live fire that we've got documented, I'm I'm okay with those.
Speaker 1:I I know a story about a CTO that went in the data center and would randomly plug pull a plug and see what happened. Just in production. And it's it's it's the physical chaos monkey. It may be a bit unresponsible, but if you can pull it off Yep. I mean, that would be that would be awesome.
Speaker 1:I mean, an airplane for that matter, if a system fails, no problem. I mean, yeah, different playbook in the in the pilot's minds,
Speaker 2:but And honestly, that's a great analogy. That's where I've been trying to kinda get us to is, hey, we had a failure. Great. Where's the playbook? Let's pull that out, go through them through our little checklist.
Speaker 2:You know? I love checklists, and if I can say, did we do this? Yes. Did we do this? Oh, we forgot that.
Speaker 2:Great. Let's do that real quick. Oh, look. We're back up. So I I think that there's a lot of relation that we have there just for the checklist with the aviation community and, you know, the the way that the pilots know how to handle themselves.
Speaker 2:So, you know, be calm in an emergency.
Speaker 1:Well, let's all look into that and then download a few checkers of pilots and see and mimic them, port them to our IT world. I've learned one last subject that I briefly wanna talk about, and everybody's talking about AI, of course. Is that an of any importance to your organization as well? Is there is can you apply that tech apart from the CSM that summarizes your email and said, I get all that. But specifically for DFW, is it something you're looking into in the future?
Speaker 2:Yeah. We we we use Copilot like everybody well, I won't say everybody else, but lot of
Speaker 1:us do. Yeah.
Speaker 2:Did publish our policy that basically just says, here's the official one to put DFW confidential information with or any mention of us, but you're still allowed to go do research with, you know, your other tools if you if you have a favorite, you know, if you're using OpenAI or Gemini or something like that. So we're not preventing people from doing it, because I don't see the point in blocking it. Honestly, it'd just be They'll do it anyway. Yeah. You're just gonna be blocking a new one every day.
Speaker 1:It's like blocking a messaging app.
Speaker 2:Exactly. And what's the point of it? So we're we tell people use it responsibly. You know, if you need if you have questions, need training, let us know. We're happy to work it.
Speaker 2:And we've had quite a few requests for, you know, hey, can I use this tool? So we'll go through our AI governance process and say, you know, hey, this looks like it's something that's okay. You know, here's how we're authorizing you to use that tool. We have built some of our own, again, like the digital twin where it'll help us with predictive analysis and predictive capabilities as well as just testing. You know, what happens if this thing goes down?
Speaker 2:What happens if we take three things offline and see if the two were designed for? So I I think that it'll help us there. Now in a cyber perspective, as you know, we've we've had AI and ML and our tools for half a century. I mean, ever since And
Speaker 1:we're just called differently.
Speaker 2:Yes. I know. We didn't call it AI at time. We called it Bayesian and heuristics, but
Speaker 1:Machine learning Exactly. Deep learning and all those.
Speaker 2:Yes. But it's been around for a while. I do have some thoughts that I want to try to build up on that such as, you know, hey, are my policies all compliant with all the regulations that we have to we have to abide by? Yeah. Here's some gaps.
Speaker 2:Great. And then go out and keep an eye on those so when they change, you can say, hey. We need to modify this policy or something to that effect. Now that's a cheesy way to do it, but I I think that that builds on, hey. Here's my vulnerabilities.
Speaker 2:Hey. Here's all the stuff from our my CMDB
Speaker 1:Mhmm.
Speaker 2:All of our inventory information. Go tell me where to prioritize these.
Speaker 1:Yeah. Yeah. Because a lot of times, batch management is a very hard thing because you need to constantly do it, and that is not really the same as making a stable network. If it's then broken, don't touch it. Well, the AI connection.
Speaker 1:Yeah. Exactly. Make sure prioritize the the things that really matter because many times you have an operating system bug in a library that is impossible to get to anyway so that you you are using or plan to use AI for that. Yeah. One thing that worries me on AI, and we only see we recently recorded a few podcasts about this, Actual threats that are new with MCP servers and prompt injection and all that.
Speaker 1:And it's really scary, and there's no there are a few there's a couple of startups that are actually trying to get find find a solution for this, but you can trick an a the OpenAI or or or your MCP server just for those in the audience who don't know. It's like a like a building block of AI, like a could for example, the departure times of the of the planes could be you could build an a an and to be sure we're almost like an API that then an your LM could talk to. Yes. But there's all kinds of clever prompt injections. I mean, we've seen Kubernetes clusters going down because completely being erased because someone did something clever.
Speaker 1:Right? And it's really hard to control. It's it's more of a supply chain problem, actually. Yeah.
Speaker 2:I I've seen that too. So I think one of the challenges that we're going through at the moment is just that AI governance component. Mhmm. You know, what are we going to allow in
Speaker 1:What are your criteria?
Speaker 2:It's kinda loose right now. I'll put it that way. Mhmm. So not one that we really have published out there.
Speaker 1:So Okay. And then yeah. And it's I know many organizations that are currently working on them already have them, but it's it's a it's it's a challenge to to do it because it changes so fast. I mean, if you have asked me what should be in this policy document half a year ago, it's a different answer than today.
Speaker 2:Yes. Yeah. And that's one challenge with government is pushing policies through. It tends to take a little longer than what do the sector.
Speaker 1:You need to be ahead of what the government tells you.
Speaker 2:But our our current AI policy that we pushed through for the Ottawa board took a long took a while. So we actually updated it probably two or three times while it was in reviews and we finally got the the last one published. Okay. Good. I think we're good there.
Speaker 2:But, you know, again, the technology moves very rapidly, and we're trying to figure out how not to be behind on our policies and such.
Speaker 1:Well, if we rerecord this podcast in half a year from now or a year from now, we can speak a lot about that, and the world has completely changed. And that's that's also the fun part of our job Hopefully,
Speaker 2:we'll talk about quantum with AI, and I think that that's really where my head's at because I wanna see a lot of that predictive capability. We've actually talked Uh-huh. With a couple of companies about quantum computing to see if it really has any play for us and not really at this point for for transportation. I can see where we would have some ideas for it and some potential for it, but I I think it's a little far out still. Mhmm.
Speaker 1:Yeah. Yeah. It's indeed, there's lots of learning that area as well. And the first thing is is, of course, the crypto entire crypto algorithms that that survived this quantum age, but, yeah, we'll see. Luckily, mass production of quantum computers isn't there yet.
Speaker 2:And they have be really cold, and that's that's hard to come to. Yeah.
Speaker 1:Yeah. Indeed. Yeah. Yeah. A couple of quantum bits doesn't doesn't bring you much, but certainly something to look out for.
Speaker 1:Thank you so much. It's really interesting to see to have a peek into this big city, DFW Airport, to to get a feel for what it all entails, and great to learn about all the operational and strategic things that you are deploying, and I think there's a lot for our audience to take away from. So thank you for joining. And to our viewers, thank you as well. Great that you tuned in today.
Speaker 1:If you liked what you saw today, please press the like button. It will help us spread the word further. Right next to it, there's the subscribe button and also the bell for the subscribe button. That makes sure that next Tuesday, you will have our next next episode of Talks also in your inbox. Thank you very much, and hope to see you next time.
Speaker 1:Thank you for listening to Tread Talks, a podcast by Onto It cybersecurity and Amzix. Did you like what you heard? Do you want to learn more? Follow Trentos to stay up to date on the topic of cybersecurity.