Cybersecurity with Craig Petronella - CMMC, NIST, DFARS, HIPAA, GDPR, ISO27001

Elevating Airline Safety with Next-Gen Cybersecurity Measures

Craig Petronella

Prepare to navigate the turbulent skies of cybersecurity with Sige Brody, CTO of Optinine, as we unpack the pressing dangers and defenses within the aviation sector. Discover how Optinine's managed cloud computing services are revolutionizing the way airlines protect their most valuable assets, with a focus on robust disaster recovery and business continuity. Our journey will reveal the startling reality that, while commercial airlines protect company data like Fort Knox, their fleets might be flying with a target on their backs due to unencrypted communications and GPS spoofing threats.

As the conversation ascends, we examine the tightening mesh of regulations set to envelop European aviation by 2025 and contrast them with the FDA's slower pace. This segment dissects the curious paradox of current cybersecurity measures, where the commercial airline industry's crown jewels remain exposed to potential cyber-attacks. With Sige's guidance, we'll explore inventive solutions to these vulnerabilities, such as how backup software can serve as an early warning system against ransomware by detecting unusual patterns.

Finally, we chart a course through the future of aviation cybersecurity, scrutinizing the overhyped nature of zero trust and the expanding roles of IT managers in smaller organizations. We'll touch down on the need for simplified security architectures and the thrilling new frontier of space-based infrastructure, pondering the security implications of satellites and other celestial tech advancements. Sige Brody ensures this episode is a first-class ticket to understanding the complex, ever-evolving realm of aviation cybersecurity.

Support the showCall 877-468-2721 or visit https://petronellatech.com

Please visit YouTube and LinkedIn and be sure to like and subscribe!

Support the show

NO INVESTMENT ADVICE - The Content is for informational purposes only, you should not construe any such information or other material as legal, tax, investment, financial, or other advice. Nothing contained on our Site or podcast constitutes a solicitation, recommendation, endorsement, or offer by PTG.

Support the Show

Please visit https://compliancearmor.com and https://petronellatech.com for the latest in Cybersecurity and Training and be sure to like, subscribe and visit all of our properties at:

Speaker 1:

Hey everybody, welcome to another episode here of the cybersecurity podcast with Craig Petronella and, of course, myself, blake. Today we have a very special guest. We have Sige Brody. Please introduce yourself, sir.

Speaker 2:

Hey guys, nice to meet you, nice to be here. Yeah, my name is Sige Brody. I was the chief technology officer and co-founder of a managed cloud computing company called Webair almost 20 years ago. We sold that to a private equity firm about two and a half years ago and that ended up merging with a bunch of other organizations and that is now called Optinine. I am still the CTO over there in a part-time capacity and I'm also out doing consulting services around product management and cybersecurity for other interesting technology companies.

Speaker 1:

Nice. Tell us about, maybe, some of your core values at Optinine and then some of the other spaces and verticals that you work in.

Speaker 2:

Sure, yeah. So the primary value proposition of Optinine is really a managed cloud provider, and the services that Optinine provides surround management of public and private cloud infrastructure and then also a large focus on business continuity, disaster recovery and overall resilience. So with that we have services such as managed backups and managed disaster recovery. The important thing to note is that we are focused on working with organizations who have acknowledged that they don't have an appetite to take ownership and accountability of ensuring that their cloud infrastructure is properly managed and monitored and secured and scaled, that their disaster recovery infrastructure is set up properly. The outsource ownership of those layers to us and we are the ones responsible to ask the right questions, ensure the run books are in place, ensure the right buttons are pressed, and so on and so forth.

Speaker 2:

So as we look into the future and we see IT getting more complex, I think sort of outsourcing, sort of non-interesting or sort of transactional layers managing infrastructure being one of them is low hanging fruit and we see a lot of organizations making that decision. The other organizations I'm involved with I've done some investing in technologies that I think are cool and providing some consulting around there. So one company that I've been working with is called Sidiation. They are focused on providing cybersecurity protection for physical aircraft and they help them sort of get the word out. The aviation is, pretty surprisingly, is pretty far behind others that we're all familiar with as far as requirements around vendor diligence and proper security. So helping them educate and let people know what they need to do to protect their fleets.

Speaker 1:

What type of physical security does an aircraft require? I know that's a silly question and obviously Craig and I work with computers and servers. So to me, whenever you say physical security with aircraft, I don't know what triggers. So I'm curious.

Speaker 2:

Yeah, it's a really interesting sort of topic, especially for folks like us who have come from a new traditional cybersecurity background. But so when you think about a physical aircraft, there's a few attack vectors. The possibly most alarming one and most obvious one is that the radio frequency based communication. So you have planes and the ground and satellite sending RF type of signals and these RF based messages are unencrypted and unauthenticated. I think the unauthenticated pieces is probably the more critical. First, right, because if you can transmit a message powerful enough to be received by an aircraft, the aircraft has an assumption of trust that it is accurate information, and so you can do a lot of nasty things. In fact, a few months ago and so something like GPS jamming has been around for a bit. It's actually getting more sort of talk now because of the conflicts that are going on and the fact that it's actively being used by military. But more alarming is GPS spoofing, which, from our world, we go back maybe 15 years and talk about sort of just TCP or really just IP spoofing. Same thing right. At some point it was this holy grail. Is it possible? Oh, it's really difficult. What we got to work in some cases and then it became very prevalent, right, and so we're going to see the same thing. In fact, a few months ago, there was a period of about three weeks where about over 20 commercial and business aircraft were the victims of GPS spoofing, and they in you know, we're talking 787s, 777s, airbuses, gulfstreams and they all thought they were about 80 nautical miles off from where they were supposed to be. One of them almost ended up and I ran by mistake. That would be bad, and super interesting is that a few years ago, somebody had this great idea to enhance the onboard inertial positioning systems to take GPS in as another factor to better ensure that positioning is correct, and it was that system's always designed to be standalone, and now, when this happened, the GPS data came in the IRS. That system got super confused and it caused a cascading failure. All these other systems in the cockpit failed, and I'm talking about the planes that I just mentioned and basically these planes have to call air traffic control and say where are we and where should we go, which is surprising. So radio frequency is one. The other attack vectors really surround physical access to the aircraft and trust, and so if you think about the number of people that have access to these planes, all these subcontractors and vendors. Again, there is an assumption of trust.

Speaker 2:

If you have access to a device. Lots of these devices have ethernet ports, usb, some of them are pretty old PCMCIA, all sorts of different inputs. If you have access to those, then anything that you plug in there is assumed to be valid. You can override the place to config all that and when those types of attacks, you can modify the guidance systems, the navigational data, the autopilot, the actual control surfaces, even in the cabin people think, well, the cabin is separate. You get into a cabin management system. You can set off the fire alarm, the fire suppression system, the plumbing for the toilets. I mean you can force a plane to not take off or force it to make an emergency landing. So that really comes down to supply chain and vendor diligence and all that.

Speaker 3:

So there's all sorts of alarms going off in my brain. I'm thinking like pen tester for airplanes.

Speaker 2:

That's what this company does is a situation. They're doing vulnerability assessments for a physical aircraft.

Speaker 3:

So would it be possible for a hacker to either board a plane or go into an airport where there's maybe a busy airport, like Atlanta for example, where there's a lot of aircraft kind of taxing in, and use something like a, like a flipper zero or some type of device like that, to kind of either infiltrate or jam signals?

Speaker 2:

Oh yeah, absolutely. I don't know the output power of you know I'm familiar with that device, but as far as the proxy me requirement, I don't know. I mean, obviously those things are all possible, right, it's not a matter of is it technically possible, it's more a matter of you know how illegal it is, right. Same thing with, you know, shining the lasers up on the planes, right, like obviously anybody could do that at any time. We're just, it's just lucky that it's not being done much.

Speaker 3:

So my fear yeah yeah, sorry to interrupt you. My fear is that there's some type of spy balloon that has RF jamming capability, that, or even drones that are flown with some type of jammer capability to you know. You know that, all sorts of alarm bells going off. Oh, yeah, yeah.

Speaker 1:

Who has weaker secu. Oh, I'm sorry, go ahead. Go ahead, blake. I was just curious. I'm a huge Airbus guy so I've been, I'm on the Airbus train and I've invested in Airbus, like you know. Obviously I hold stock in Airbus and I have for I don't know years now. So I'm not a huge Boeing guy. But who has weaker security, would you say Airbus or Boeing.

Speaker 2:

Yeah, he's taken me right to the hard questions. You know it's interesting. I don't know that I can answer that we Sidiation works with both of them, and so what Sidiation really does is they're doing like deep R&D around these avionics components. And you know some of these planes are fairly old, right, and so when, when they were put into production assuming you know, physical access means assumed trust, you know that was. There was nothing wrong with that back then, I guess.

Speaker 2:

But some of these vulnerabilities like if you, if I showed them to you on the platform, they would read like this like the cabin management system, you know, has a hard-coded IP of 10.0.0.5. It's open to default credentials and if you plug into the Ethernet port, you can you can, you know, tftp over and override the configurations and configs right, like the types of vulnerabilities are not, you know, crazy just because it happens to be on a plane and unfortunate things if you're flying on a 30 year old plane, like you're gonna run into those types of things. Now, upgrading and updating those components can be very time-consuming, they can't just do it right. It could be only two or three years to replace a component like that, and so a lot, of, a lot of this sort of mitigation for those types of things comes down to security awareness, training and contextual awareness. You know, you need to be aware of these exact vulnerabilities which we know this fleet or this plane to be susceptible to. Instead of you know, sort of overwhelming them with just all the possibilities, make it very contextual.

Speaker 1:

Yeah, that makes a lot of sense and you know we we deal with, obviously we deal a lot of computers and devices and personal devices, business devices. But my follow-up with that is obviously these hackers that have a motive right. A lot of the motive that we see in our industry is financial. So, from your perspective, what is the motive to you know, hacking a plane for one, and what benefit does that do to an hack, to a hacker, right like? There's obviously got to be some motive, right.

Speaker 2:

So I did spend a little bit of time. You know I actually have a diagram around it. If I wanted to ransomware an aircraft, here's how I would do it and obviously there is financial benefit there, right, and you know the amount of money lost when these planes are sitting on the ground is pretty high, you know. I mean, can you compare it to a hospital being ransomware? I mean, it's probably close. I mean, some of these planes you know cost, you know, 80 to 100 million dollars and you know what does that look like when they're down for a week. And the the operators, you know they have insurance if an engine is fails and needs to be replaced. You know what is that. What is the loss of business amount to for a week? Loss of business for an aircraft because of some sort of cyber attack is not something that any insurance company in the industry is going to cover at all. Right now it is definitely in the gray area and I've talked to some insurance counters there and they agree.

Speaker 2:

But if I wanted to, you know, ransomware plane, you know, think of it. You know you have these. You have these vendors who are coming on and off the planes and plugging in laptops to all these systems. Now, unfortunately, there is almost no vendor diligence in this industry. If I'm, if I'm, if I'm the owner of a fleet and I am and I'm entrusting a vendor or a partner to perform maintenance or do updates or replace a failed component, there's no, there's no. Hey, fill out the cyber security diligence form. Show me how you and you know, enhance my security, not expose me to more.

Speaker 2:

And so those laptops, you know, are they running EDR? Are they going home and sitting on someone's home network? You know what is the cyber security posture back at the corporate office? Look like for these vendors that that's not happening. And so it wouldn't be fairly difficult to develop a true, to take a traditional ransomware strain, right, that gets into a traditional IT organization through phishing, social means, whatever. And once it's in, what are they doing? Now? They're looking for critical assets, right, they're designed to look for SQL databases, whatever. A critical asset you know. Swap that critical asset to a avionics vulnerability, you know, now, now, the ransomware sitting on these laptops, dormant, and it's just waiting to see, to see the right signature on a local land, and when it does, it can ransomware that component. And so the leap from where we are to sort of a more sort of I don't know industry specific or use case specific strain.

Speaker 3:

It's not that, it's not that sort of crazy right have any drills been done like to simulate attacks like that?

Speaker 2:

now. I mean, unfortunately, the like I said, industry is pretty far off. I'm I just spoke at a, at a, at a large business aviation conference a few weeks ago, talking about these things, and so that's what we're just, at the point where we're educating as like, hey, these are the risks, this is what's possible, what's not, and I think, similar to HIPAA and health care, it's going to take some top down sort of pushing on. You know, maybe you know warning, you know sort of threatening fines.

Speaker 2:

So actually in Europe, actually probably Blake, going back to your maybe maybe going back to your Airbus comment a little bit but the Europeans do have a cybersecurity for aircraft regulation going live next year, in 2025, and it's great. And if you look at it, it reads like what you guys would be used to. You know proper monitoring for unauthorized access, proper securing of making sure they're running the latest firmware, anything that you would see under normal sort of cyber requirements. They're requiring that on physical planes and so that will help. The FDA traditionally is a little bit behind YASA on these, but it's coming. Tsa has some requirements around it now, but they don't. They don't cover, you know everybody, and they actually also now just recently, made an announcement that if you want FAA funding for airports, you need to include in your proposal how you plan on protecting the airport from a cybersecurity perspective. So it's starting, but it will take time. We just really need to be out there. You know advocating, sure I'm sorry, blake, real quick.

Speaker 3:

So what about DOD, or Department of Defense in military? Is there any? Is it still education there or is there any testing being done?

Speaker 2:

Oh yeah, they're like in a completely different frame of mind. They are very advanced and they do a ton of stuff in this area and they're not like. Their RF communication is not like what I'm talking about, right, so they have their own stuff and, from what I understand, they're aware of all these things and they protect themselves. Okay.

Speaker 3:

So it's kind of like the traditional trickle down effect. You know big companies, big militaries, and then it comes down. But you know the system right.

Speaker 2:

Yeah, I mean I think it's really ironic and interesting is, if you think about commercial airlines right, some of the largest in the world, all the names that we know about they spend millions of dollars a year on cybersecurity. They have their own, they usually have their own socks and they're paying threat intelligence companies. You know half a million or three quarters of a million dollars for threat intel on their organizations to know what's going on. Very mature sort of internal. You know cyber teams, yet ironically, their most critical and price assets the aircrafts they have no visibility into those at all, into what's going on whatsoever. And so part of what you know a situation is trying to do and what I'm helping them with is, you know this is, this is a bridge. You know the platform that they're developing, which is really it's a real time, it's a vulnerability assessment, but it's also continuous. You know that can speak, that can feed data into the SIM. You know we can. You know it already has. You know Mitre attack framework. You know notifications. It can speak sticks taxi. I mean we need to create a bridge between the existing cybersecurity apparatuses and these new threats.

Speaker 2:

In fact, at Optinine we did something similar. Optinine is in the business of you know, like I said, managing backups and disaster recovery, and part of that is we actually will deploy and manage backup and replication software at our at our customers, you know locations or on their servers and we manage them. And we noticed that a lot of customers were coming to us to consume those services because obviously they were they were, you know, mindful of security and they wanted a capability to recover post attack. And then we realized that when attackers who are looking to ransomware an organization get into organizations and IT infrastructure these days, they're actually one of the first things you're doing is a very common pattern in workflow. One of the first things you're doing is they're looking for those backup and replication tools. They're seeking them out so that they can destroy any, any potential for recovery and, blake to your point, if that's what your economic benefit is, I want to get paid a ransom. I'm going to do everything in my power to improve the likelihood of getting paid.

Speaker 2:

So, because we knew they were looking for these backup and replication tools, one of the things we did was we built an ad, we built this add-on to our offering, where we would run the backup software configuration itself through machine learning on our side and we would look for anomalies and look for suspicious activity.

Speaker 2:

If the end users maybe change their retention policy twice a month, it may change us to encryption once a week, change job definitions and all of a sudden in one day we see a bunch of jobs deleted and other changes. That's suspicious and because those things are happening before the ransomware takes place, it would be a predictor of a ransomware attack. And so we built that and productized it and we tied it into our service that if and when we saw that we can automatically air gap the offsite backups or DR or we can, we built an API, we feed it into the client's SIM or the RMSP partner's SIM, and again, I think you have. So it's like very it's a very sort of similar use case to the aircraft. You have this new attack vector that maybe it's been around for a long time like backup service. It's been around for a while, airplane's been around for a while, but all of a sudden it's an attack vector that was not encompassed by this cyber team. Now it's being exploited and we need to sort of build that bridge.

Speaker 1:

Yeah, I'm surprised, honestly, the FAA doesn't have regulations behind this, like some type of compliance mandates that say, hey, if we're going to operate in our airspace, you have to go, like we see it in, obviously, data centers, endpoints, cmse, yeah, yeah, yeah, any type of cyber infrastructure. We see these mandates already existing. But the airline industry I mean it's a huge portion of our economy, right. So travel, the airline industry, I mean I don't even know how much, I mean it's billions and billions of dollars, right of the sector that just goes unnoticed, uncared for. I'm so surprised there's not mandates around that. And so for you, I'm curious, you said it's coming right. You did say that. So what would those mandates look like for you? If you had a golden grail of mandates, what do you think they would include?

Speaker 2:

Well, so you know, if you look at what IASA, which is the European FAA, essentially put out, you know it's exactly what you're saying. We are mandating operators. And someone asked me this the other day. They said is it aircraft that are registered within Europe or that land within Europe? I said, you know that's a really good question and I don't know that there's an answer for that yet. But that has huge impact, right, because you know now it's like you have every operator in the world and every commercial operator needs to comply. Then at that point and you're not just going to comply when you land, you need to comply your fleets fully. But the requirements that IASA is putting out, which is called the PartIS and it goes live in October of 25. And I'll read them to you.

Speaker 2:

You know, and again it reads very similar to what you know, what you know our traditional industries have been talking about for a while maintaining the security of an aircraft system through their lifecycle, vulnerability management, identifying the sessing and mitigating vulnerabilities in aircraft systems, security awareness, training, protecting the integrity and availability of aircraft system.

Speaker 2:

And that's a fun one, right? I used to have a lot of fun with that one with HIPAA, because HIPAA also spoke about availability of data, which and when I was really focused on selling disaster recovery we would use that. We'd say, hey, hipaa is not only about you know people stealing your data, but if someone can cause your system to go down and make that patient data unavailable, that's a HIPAA violation. If you're, if you're, if you have downtime, your bio and you know doctors can't get the patient data, that's a violation. So that's an interesting one. The other ones, back to IASA, are ensuring the confidentiality of aircraft data monitoring, aircraft systems for sign up, unauthorized access or activity, aircraft incident response, implementing measures to mitigate risk. So, again, like very sort of traditional, you know table sticks type of requirements. But the issue is, you know the word aircraft shows up in almost all of these, right, and so that's the rub there's not many tools and systems that are out there designed for that.

Speaker 1:

I also see a web of jurisdictional conflicts, right? So let's just say for example, an American airplane is flying within the borders of Europe and something happens within the borders of Europe, who has jurisdictional authority over that plane to investigate sad breach? You know what I mean. Like it just, yeah, it becomes this web of entanglement.

Speaker 3:

I'm also envisioning some type of, you know, fly by a hostile country and some type of almost EMP, but specific for aircraft, you know, like a new cyber weapon aimed at aviation.

Speaker 2:

Yeah, I mean like so all of this stuff can happen, you know, obviously in the air and in the sky In fact. In fact, one of the RF systems that is susceptible to this is called AVSB and basically just positioning data and interesting thing is, all the planes actually it's now mandated that the planes do this. So if you there's actually some pretty cool sites out there, like if you go to ADSB exchange or flight or flight tracker, which is a really cool app you can install on your phone, you might have those right now. They're awesome, they have augmented reality. You can just point your phone at any plane you see flying past in the sky. It tells you the tail number, it tells you where it came from, where it's going really cool stuff.

Speaker 2:

But if you look in the corner behind me, I have a little, I have a little radio there. I'm participating in this ADSB exchange. You go to the website. It shows you a global map of where every single plane is in the world right now and that's all. That's all hobbyists like me that are that are sort of contributing to this network. It's like SETI and it's cool.

Speaker 2:

My little radio back here. I can. I can receive signals within 300 miles. If I can look at just my map, it's actually awesome. It's a little Raspberry Pi with a $50 USB radio. It's not a lot of fun, but anyway, the planes all put out these signals and so that's cool. Here's where I am. One of the interesting things is that there's this collision avoidance system where the planes receive the signals from the other planes in the area and the planes actually speak to each other and they basically will say they form this consensus it looks like we're going to, it looks like we're going to collide, I'll go, I'll go up, you go down, I'll go left, you go right. And these messages are basically shown to the pilots like hey, your, your collision avoidance system is going off. We recommend that. You know we want to move to this position and we want to do this. Press the button. And so very easy to send a fake message and cause and cause that, cause that and cause the plane to move or change position.

Speaker 1:

I'm really curious, so something that I know. This is more kind of content focused, but you know, obviously, when the Super Bowl was happening and you know, obviously Taylor Swift was flying across the ocean and people were tracking her flights, and then now you see there's this young guy can't think of his name, but I'm sure you know the young guy who's tracking celebrity jets and posting that information Tracking Elon Musk at one point.

Speaker 1:

Yeah, same kid. So something that nobody really talks about and I'm curious to get your take on is transparency of of this information right? Because they're they're using federal airspace, right, they're using federal tax dollars, obviously, and so there has to be some type of window for the public. Where, where do you define that Right?

Speaker 2:

Well, so that's what's actually happening, right? So if you go onto these sites you can see all the planes and you can see their tail numbers, the, the FAA registered tail number. And if you go to the FAA's website you can look up any tail number. It'll tell you what type of aircraft it is, give you some registration info and give you ownership and typically what, what is done to sort of to sort of obfuscate the ownership in the. You know, I don't, I think the commercial operators, they don't care, you know, it's like they just put it out there.

Speaker 2:

But definitely in the business world side, an LLC, a new LLC, is created per aircraft and that's sort of like the, the paywall that you can't get behind, and so you don't necessarily know who the LLC. I mean, you know, ironically enough sometimes, that now you can go digging and you can look at the LLC and you look at the address and it's fairly, you know, like I saw one that you know typically they'll put like the initials of the company. You don't need to. But that's the thing. If you can, once you get the name of the LLC, if you can figure out who owns that LLC or what it's related to, now you know who's playing it is. Now, what can they do?

Speaker 2:

I'm sure there's a way to. Maybe, I don't know, maybe you can request to change your tail number, maybe you change the LLC. But once someone has that association, once you can get from tail number to kind of owner they are the operators. Now mandate to put out these signals of here's, here's where I am right now, here's my tail and here's my position, and then it's trackable. I think and that's a thing, that's an interesting thing Like it's like you know people. I think the person who was tracking Taylor Swift, you know they sent him a cease and desist, right, and they sent him all this. Like we're going to sue you because you're putting her, like, at risk, and all this. But meanwhile, you're right, it's publicly available information. He's just bundling it up in a way that's easier for folks to see.

Speaker 1:

And I'm assuming you believe in that ability to do that right, I mean.

Speaker 2:

I don't know, I haven't really thought about it much. I mean, on one hand it's you know it is it's it's related to federal government and this and that and taxpayer dollars. On the other hand, it does make it easier right to conduct these attacks.

Speaker 3:

But I wonder if it needs to stay public.

Speaker 2:

Well, yeah, well, the tail number is. You know, the tail number is just a number, right? I think maybe the registration information right, that's what I mean. Yeah, maybe not showing the owner or maybe, you know, maybe that has to be behind like a freedom of information act request or something that makes it more difficult.

Speaker 1:

We're starting to see a lot of. You know we talk about like trust lists, like zero trust frameworks, a lot, and you know there seems to be kind of a divide of people that say no, zero trust isn't the way, and people saying zero trust is the future. I'm curious. I could tell by your facial expression you have a few things to say.

Speaker 2:

Zero trust has been, you know, overly it's turned into this overhyped marketing term. Look 15, 20 years ago, you know, in our offices in the optinine at that point it was Web Air offices we had a whole bunch of employees, we were tech companies like it's not a fair example, but we wanted to secure our staff and our people and ensure that, you know, there was no data leakage. So every employee was put in their own VLAN and when they VP and in, they ended up in that same employee VLAN and so there was segmentation. They were not on a shared layer two network and it was that was. You know, we were doing zero trust without having a fancy name for it, and that's what bothers me. I think that you know going.

Speaker 2:

You just sort of I worry that there are business owners that are out there who read the news, see these stories about ransomware and basically in their head they're like well, I'm okay because I buy backups or I have a disaster recovery, or I pay the security company to take care of everything for me, and there's all these like there's so many bad assumptions related to cloud and security that people have a false sense of security and they just sort of discount it and, as you guys know, this is all multi-layered. There's no, there's no. If I have X, then I'm secure. And I think we fall into that trap with zero trust. We subscribe to zero trust, therefore we're all set, we can ignore everything else. And that's what scares me is the marketing aspect of it.

Speaker 2:

There's a company that is focused on cybersecurity for the space vertical, for digital infrastructure and space, and so there's an AWS snowball, which, if you don't know, is a glorified Raspberry Pi compute device and it's an edge. It's okay, it's an AWS edge compute device, but under the surface it's pretty much a Raspberry Pi. Anyway, there's one of those on the space station, and so, from a marketing perspective, it's like whoa, we have edge compute in space. You know we can conduct computational things in space. We have public cloud in space, raspberry Pi, and that's cool. Like you got to start somewhere. But then this other company came along and says hey, we're doing zero trust in space. So, marketing perspective, I think it's great. I would have done the same exact thing, but we got to be careful, you know. So do I believe in your trust principles? Yes, is it to be all into all?

Speaker 1:

No, that's kind of funny to me. Obviously, we want to talk about the future. Right, I know you don't have a crystal ball, but obviously you kind of seems like you have a pulse on where the future of cybersecurity is heading. Is there any type of exciting developments that you feel like that are happening now that may be game changing or groundbreaking in the future?

Speaker 2:

Well, you know, I think I said at the beginning, but one of the things that also scares me is the fact that if you look at the role of IT managers, of CIOs, vp of infrastructure, whatever you know, the amount of sort of responsibility put on their plates year over year is increasing and, in many organizations, smaller. Obviously. There's typically not a separate sort of security apparatus there than tasked with owning all the security stuff as well, and I think one of the things that a lot of those folks in those positions don't realize is part of their job is to manage complexity group, is to have a focus on ensuring the most simplest architecture that they can find which still satisfies the business needs and provide some level of flexibility. That should be one of their goals, but I don't think that they're really thinking that way, and so we end up with this vast sprawl that we're all aware of, right? We end up with cloud sprawl.

Speaker 2:

We end up with, if you look at, something like SASE, right, another great marketing term. Thank you, gartner is cool, but it's not one product, it's like 50 products, and so people need to like really focus on simplifying their environment, because the more complex it is, obviously the harder it's going to be to manage, monitor, secure and scale it right, and it becomes almost impossible, and so we need to take a very active approach on managing complexity. If that's not done, it will almost become impossible. And again, I think that also means the outlook is good for managed vendors, mssps, managed security vendors, managed cloud vendors, all that and so I think we're going to see, in the future, outsourcing to best and breed becoming much more common, because, as things get more complex which they will it's going to be almost impossible for internal teams to do it.

Speaker 3:

I think, by the way, I think it's well-heating fruit.

Speaker 2:

I think if you have remediation list of 50, you don't like, hey, I'm just going to give it to my vendor. Yeah, I have spent some time looking at what's happening with digital infrastructure in space. It's just an interest of mine. I think it's just super, super cool to geek out on Space-based data center, space-based edge compute, space-based connectivity. There's a company, actually, that was a great launch Yesterday. It was a SpaceX rideshare launch, the first of this year. The rideshare launches are awesome because they're typically like 100.

Speaker 2:

I looked at my LinkedIn. There was like 30 different companies that were in space. We made it because they're all in the same rideshare. But it was a company that's doing cell phone towers in space, direct to device. I'm on my normal iPhone I don't want Android and I have cell phone access because I'm directly connected to a cell phone tower in space. How cool is that? Now you think about where's the content? Well, why not just put it in space, in the space data center, which gets free power and free cooling? Is it going to happen tomorrow? No, but I think it's super fun to talk about. That. All needs to be secured Now. There's a lot of optical links. Now all the space-based connectivity is optical in nature. Amazon Kuiper is already doing 100 gig satellite to satellite, spacex is doing satellite to satellite. Now how do you secure that? I don't know To me. Now, going back to complexity, look at the increased complexity there and now apply your cybersecurity frameworks to that. Sorry, go ahead.

Speaker 1:

No, I was just sorry. I had a really quick follow-up. It brings up a lot of thoughts to my mind Now. I haven't seen any mandates or frameworks around satellite security. Yeah.

Speaker 2:

People are talking about. I mean, within the satellite industry there's like a subgroup. But again, going back to radio frequency communication, a lot of it has been and I think that, going back to your question about aviation and the lack of requirements, a lot of it's been security by obscurity and the fact that these things were, from an engineering perspective, very difficult to do. But it's amazing to see how quickly it's gone from theory to active exploitation in the wild. I'll give you another example that touches on space and security and even complexity is there's a company that's spun out of Google I don't know how to pronounce her name. It's called Al Yara, but if you think you guys are familiar with SD-WAN, the capability of overlaying on top of multiple internet connections and all that. So what this company does is they created something called like temporal space software to find networking, like they made up a really co-acronym. Then their focus is on meshing, is on taking terrestrial fiber connectivity, terrestrial 5G-based connectivity, multiple satellite operator connections and creating a mesh network. That is creating an overlaid mesh experience where, if satellites are blown out of the sky, if your network is cut, whatever your connectivity can move from one part to the other with no disruption at all.

Speaker 2:

To me, it's super cool. It's something that we didn't even think we needed, but now, as these new options for connectivity become available, we're going to start using them Now. We need a way to manage the complexity Now. How do we ensure security? How do we ensure security assurances? As we go from platform to platform, I think there's always new problems to solve as we force ourselves. It's almost like self-efforting prophecy New technology we never knew we needed it, but now that we see it, we want to use it, and so we're going to use it Now. We just made our lives more complex and now we have to secure the more complex reality.

Speaker 1:

Yeah, yeah. Well, we went down the rabbit hole of space. We went down the rabbit hole of aviation. We talked briefly on Cloud. Obviously a part of you joining our podcast, obviously you're tapping into our audience and our viewership and our listener base. Is there anything We'd like to obviously give you the platform here. Is there anything that you feel like we didn't talk about that maybe you had on your mind?

Speaker 2:

Well, I would say, just going back to the comment about assumptions, don't assume anything. A lot of people like to check the box around backups, disaster recovery and again, I think the most important thing that an organization can answer himself is do we have an appetite to take ownership and accountability of managing X, y and Z, of being responsible that we've set up our AWS account the right way and that we checked all the boxes? Do we want to be on the hook? Do we want to be on the hook to ensure that our disaster recovery configuration is working properly, or would we rather just sign a contract for it and hold a vendor accountable to an SLA? And I think people don't realize. When you think about managed services I think you guys have similar services is you're not buying bits and bytes or X amount of storage. You're buying performance, like with Optinine. You're entering into a contract that we are going to ensure that your disaster recovery infrastructure is up and running with the specified RTO of recovery time and that your data is no longer than X amount old. And if we happen to be using the wrong hardware infrastructure on our side to get that job done, well then it's on us to spend any amount of time or any investments to ensure that we upgrade so that we're meeting the performance requirements of the contract. And so the first question is what do we want our IT folks managing infrastructure and security and cloud and backups in DR or do we want them focused on adding value to the business? That is super important. By the way, I've worked with many very large organizations who totally have the technical capabilities and the teams to do all that, but they've made the conscious decision of we don't want to be on the hook for it. We'd rather have a contract and sue someone to get to that, to be responsible for it. And so I would say that to everybody. Think about that and also think about the assumptions that you might be making of we're good because and then talk to a vendor Optinine is great at managed disaster recovery, backups, managing cloud, especially with what's going on with Broadcom and VMware right now.

Speaker 2:

I don't know if you guys are following that. Yeah, yeah, it's a mess. I know it's going to cause a ton of consolidation. I mean that was a really good time If you were teetering. Well, maybe should we keep running our own VMware. Should we keep running our own hardware One of the cool things that Optinine does is we run managed VMware private clouds and so we can move your existing VMware-based infrastructure to keep it on VMware. Our pricing is much better than what your renewals are coming in at Integrate to your existing network and adhere to your existing security framework so the best of both worlds. So, yeah, those are interesting things I think to put out there for Optinine. And then myself I'm involved there. I'm also doing some consulting, so if there's anything I've mentioned that is interesting, feel free to hit me up. But, as you can tell, I love to chat about these things.

Speaker 1:

Yeah, yeah. Tell our listeners how they can reach you, how they can communicate with you. What's the best means to make contact to you?

Speaker 2:

My personal website is 10forwardai number 10forwardai or find me on LinkedIn.

Speaker 1:

Yeah, we'll find it and we'll drop some links here in the description. Awesome, I think that's all that I had, craig, any.

Speaker 3:

No, I think that was great. So one last question I had on the Optinine Do you support most of the modern regulations? I know you mentioned HIPAA compliance, assuming that maybe you're achieving or headed towards CMMC compliance. Is there anything that you guys don't do or that you like in a certain regulation or vertical?

Speaker 2:

Yeah, I mean, is there anything we don't do? Well, no, we do all of them. If it's FedRAMP, that's the only one that's a real fun one to talk about. But when we do FedRAMP, we like to partner with AWS, govcloud. Besides that caveat, we do all the rest, and what we do and our strategy around compliance is we've taken our SOC2 audit and we've added all of the additional frameworks and we added a section that shows how we demonstrate how we comply with all those and we map them back to our SOC2. And we also let the client know hey, for this specific regulation, this one's on you. And so we are mapping to CMMC and to ITAR and CJIS and HIPAA and GDPR and probably 50 more.

Speaker 1:

I should make you both aware of this. It's always so annoying for us, but I mean, we find some fun in it.

Speaker 2:

Yeah, I saw CMMC on your website and I thought that's like a super interesting one where it went, where it's heading and, to me, what's going to happen in the aviation industry from a sort of subcontractor perspective. I think it's going to look very similar to what's going on with CMMC right now.

Speaker 1:

Yeah, cmmc is our bread and butter. Craig and I are both CMMC certified. I'm an RP, craig's an RP and we're an RPO, so that's kind of our bread and butter for sure. Awesome.

Speaker 2:

Well, thanks for your time. Thank you.

Speaker 1:

Yeah, thank you so much for coming on. We appreciate the opportunity to speak to you and I'm sure we will definitely stay in touch and we'll definitely see you, probably likely in the future. We will follow up and make sure that we check in on you and our listeners as well. We'll ask you back for updates and, yeah, looking forward to doing that with you.

Speaker 2:

Awesome guys. Thank you for the time. Appreciate it, Thank you so much. Thank you.

People on this episode