The session Safeguarding Against Cyber Security Threats is hosted by Oliver Gruner Corporate Account Director for Mitsubishi Electric and includes session speakers Tom Burke, Global Director of Industry Partnerships for ICONICS; Ben Burke, Chief Operating Officer for Dispel; and Yuki Shimizu, Application Engineer for Mitsubishi Electric North American Development Center. The session includes presentations about Dispel Secure Remote Access and a demonstration of this capability; ICONICS Suite with BACnet Secure Connect; OPC UA Security and its architecture; a Q&A session, and ends with a a News Desk wrap up that goes over the session highlights.

Video Transcript

[0:00] Oliver Gruner Corporate Account Director for Mitsubishi Electric

Welcome to ICONICS Connect 2021 to our next session Safeguarding Against Cyber Security Threats. Thank you for joining us. We realize your time is valuable, so we really appreciate you giving your attention today. My name is Oliver Gruner. I'm Corporate Account Director for our Mitsubishi Electric parent company, and I'm responsible for the relationship with Mitsubishi Electric globally. Today we have an exciting presentation and a great team assembled. With me today is Tom Burke, Global Director of Industry Partnerships with ICONICS, also wearing a Mitsubishi Electric hat, so he has a dual role. And it's great to have him here too. Then Dispel Chief Operating Officer Ben Burke and just to get this out of the way, no relations to Tom. Also joining us and presenting the demonstration is Yuki Shimizu from the Mitsubishi Electric, North American Development Center.


Ted Hill talked a lot this morning and specifically about remote work, and that is very important. Part of our discussion today in the agenda is when you do remote work, accessing OT systems, accessing them remotely, cybersecurity becomes not just an issue, it becomes a necessity. And there are features that we have in ICONICS that I want to present to you a little bit and how we enable our customers to help make systems more secure. We also do connectivity, and we do OPC UA. We are based on open standard sparkplug, and that's where Tom Burke is going to talk more about it and BACnet Secure Connect which is changing in the industry to make communications more secure, and that's an ongoing, very hot topic. Also, remote access is very, very important, remote access to OT system. And Ben Burke from Dispel is our guest presenter today, and he has a very great presentation and insight into Department of Defense grade level security. He'll show you what is new in the industry and how you can take advantage of it. Then towards the end, we're going to present with Yuki a product demonstration with Mitsubishi Electric hardware. We will do a remote connect into an existing Mitsubishi Electric industrial PC connected to a PLC, actually then operating equipment, and we want to make that a secure connection through Dispel. It's going to be very exciting, so I'm looking forward to this. And thank you for being with us and going on this journey. 


First, what are the security cybersecurity features that we have within the ICONICS Suite software that makes it secure and better for you to deploy secure systems. Not all of these things that are listed here are brand new. The first one is with our recent release 10.97.1 back in March. It is a secure by default installation; there was a hole that customers pointed out to us because people sometimes forget to do certain things after the installation. Now we're forcing a security username and password for the ICONICS security system during the installation process. And so that's an important piece that we addressed, and thanks for all of the feedback that we received on this. Also, once you deploy, you want to communicate securely via https, and there are two ways to do this. Do you have a client connecting to a server? If it is a web HMI client or if it is a mobile HMI client, you can select to make a secure connection through HTTPS and web sockets. So that's part of the configuration that you can select. Specifically, when you have larger systems, and you have multiple ICONICS servers in your network, and they do cross communication. They communicate in an ICONICS system communicating to each other, so you can also enforce HTTPS security on those server-to-server communications through web sockets. It's all configurable within the mechanics workbench to make that secure. 


Also, the other thing is identity providers. If you’re logging on as a client, you have to provide your username and password, and we have done this for over 12 years or 15 years now to use Microsoft Active Directory. But most IT departments don't want you to do this direct connection to the Active Directory server, so we're using other technologies like SAML and OIDC as identity providers to securely connect to that or to make that highly secure. And through that, we also enable multi factor authentication. So, at this point, I'd like to invite Tom Burke. Tom is going to talk a little bit more about OPC UA security standards like Sparkplug B and will give you a great journey and what's important and important in the industry today. Thank you, Tom.

[5:28] Tom Burke Global Director of Industry Partnerships for ICONICS

Thank you, Oliver, it's really a pleasure to be here at the ICONICS event. I’ve been to many ICONICS events over the years, but this is the first time that actually worked for ICONICS and Mitsubishi in my role. So as most of I was the founder of OPC. So, I guess like I'm the grandfather of OPC, and I invented it a long time ago, along with OPC UA. So, I'd like to talk about some of the key security concepts that really make OPC UA what I call secure by design. Basically, the whole concept, and I’ll talk about two different triads. I’ll talk about what's known as trusted information, and also, I’ll talk about access control. And these are integral parts of the OPC UA architecture when we talk about secure by design. ICONICS was one of the key contributors into this whole architecture of what we've done with OPC UA for so many years. So, when I talk about CIA, I’m talking about the confidentiality of the information. I’m talking about maintaining the integrity. And I’m talking about maintaining the availability information. And then we’ll talk about the access control: who's allowed to access the information; how do I do the authentication; how do I do the logging and the accounting that are all part of that. So, when we’ll talk about, like what Jim Desrosiers talked about earlier, this whole concept of information and securing information. It's very important that we can secure this information in a streamlined fashion and give the end users really what they want. And I'm proud to say ICONICS, with all the products we have, we've really designed the security and specifically OPC UA into the architecture.


So, the overall use of OPC UA security really enhances the whole overall system security. And it's not the whole story, but it's the integral part of the infrastructure that's so important to make this happen. So, if you take a look at how GENESIS64 works, and how it communicates with all the different connectivity options that we're talking about the Mitsubishi devices here, and we have the OPC UA server inside of the Mitsubishi device. GENESIS64 is the OPC UA client. And what I just talked about those two pyramids or those two triangles, the application layer is at this one level that basically accentuates, and it communicates all the authentication between the users and the applications back and forth. So, you've got control; there's no longer this ability that have an application connect up to something that you really shouldn't be allowed to connect to. And this is the whole basis of security; this is how you avoid a lot of those things. And on the communication layer, this is where you handle all the things related to the signing of messages and encryptions and this whole authentication process. So, there's a lot of different transport layers that are underneath. And basically, OPC UA in combination with ICONICS, we build on top of all those transports to really take advantage this and really make the whole infrastructure at both the application layer and the communication layer totally secure. A lot of the different things that happen that I was familiar with, and I remember when one of my colleagues came from the Department of Homeland Security, and she painted doom and gloom about security and scared the daylights out of me, and sent the wrong message in some ways, but then the whole message was, “Take care of this; make sure that you're secure in your infrastructure to begin with”. 


So, some of the types of attacks that we address basically with OPC UA and now that's built into the ICONICS architecture are things like message flooding. You want to minimize processing of packets before they are authenticated. You want to prevent eavesdropping, and you do that by basically encryption. And you're doing that where you're recording and capturing all the messages that are being exchanged between the client and the server. There's been lots of things where people have seen breaches of security that basically have been what are typically considered message spoofing, and essentially, the attacker forges a message, makes it look like it's somebody real. And next thing I've got my client sending something that they really it wasn't the right one, and they're changing the setpoint. And they're closing a valve when they shouldn't close the valve and next thing you've got a catastrophic error. So, this is all the types of things that are addressed in the architecture and the same thing as we can basically support the reliability through this whole thing called message altercation replay. So, I capture the messages, I modify them, and I can resend them. And it's all built into the secure architecture of OPC UA that we talked about, making sure that we deal with malformed messages. So that you can discard messages that really aren't the right things accordingly. 


So, these are the big things that are all part of OPC UA secure by design that ICONICS has built in the architecture. The next thing is, I'm pleased to talk about what I call the Device Explorer, which is our OPC UA server and all the feature functionality that has so this is integrated now. And it's licensed with GENESIS64. And it's got connectivity to so many different devices and networks out there, that basically anything that's out there in the industry, we've got the right connectivity to. So, this is really the answer that what it solves a problem of I want to communicate to this device or want to communicate to that device. And basically, you can buy this Takebishi Server, and it's purchased and licensed directly to our ICONICS, and you activate the license through the ICONICS license utility as well. So, if you think about what GENESIS64 does, we need connectivity; we need the data. So, our connectivity solution really is the Takebishi architecture specific with Device Explorer. And again, they answer the question and allows us to get our foot in the door. So not only are we great with Mitsubishi, but we can also always talk to Rockwell; we can talk to Siemens. We've got the ability to have connectivity to anything. And that's really the core things. 


A lot of people are familiar with the whole Kepler architecture and Kep Server. I don't want to go into too much detail on this other than we've got the ability if you're using Kepler now to basically import all the things from Kepler directly into Takebishi. So, this basically eliminates a lot of roadblocks out there. “Well, we've been using Kepler forever Tom, but now you want me to switch to Takebishi.” We can make it easy for you, so that's all built into thing. And our targets basically are to support everybody. And we want to basically migrate over any opportunity that we can that's using Kepware into Takebishi. There's a lot of good reasons behind that. 


The other thing is I'm always asked to talk about this. “Well, you did OPC UA, Tom, but how does it work with MQTT? And how does it work with Sparkplug B?” and I want to talk a little bit about that. So, if you take a look at this whole thing that we talked about IT OT convergence, and what we're doing there. The importance is there are a lot of other architectures for communicating and pushing data between the IT and OT. And this whole concept of MQTT and what it does. Basically, it's a broker architecture. It allows devices underneath to actually push data to a broker or to a cloud, and then clients on the other side can actually basically subscribe to that and to get data. So, it's just a little different than the typical OPC UA. OPC UA also builds on top of MQTT and Sparkplug B. So, there are a lot of different ways that you can make this thing work. But the big advantage of MQTT and Sparkplug B basically is it’s a lightweight protocol. And it allows a lot of applications basically in a lot of industry, specifically in the oil and gas and water treatment to really get a much more effective communication mechanism. So OPC UA is an open specification. Sparkplug B is an open specification. It was developed by a good friend of mine Arlen Nipper, and I've had the opportunity to work with him for a long period of time. And again, we've now built this into the ICONICS architecture. So, we have OPC UA. We have MQTT. We have Sparkplug B. And we've got all these vehicles in that allows us to support both what's known as a client server model, but also publish subscribe. So basically, it's a secure, lightweight protocol that we're using. And that's the big thing. So, from a vendor interoperability standpoint, Sparkplug B is getting a lot of endorsement by a lot of different sensor guys, IO guys, because they're able to put this technology into the lower-level devices. And when they do that, that gives you the capability of grabbing data from a lot of this IO or sensors basically, and really having pure MQTT interoperability. So that's the exciting thing about that. So, the sensors basically are secure. It's built into them with Sparkplug B. They can basically publish data to the broker and MQTT, and then the ICONICS suite is able to subscribe to that directly. 


So, the interesting thing is somebody asked, “But what is MQTT?” MQTT is strictly a transport. Sparkplug B basically enhances that and basically defines what's known as the payload or the structure of the messages. So essentially, you can push structure data now from a lower-level sensor directly into the broker and then have ICONICS be able to access it. So, it's a pretty exciting thing that's happened with the architecture. And again, our goal is specifically to make sure that we're leveraging all the technical innovations that are out there. And the only thing we know for sure is, today is one thing; tomorrow is going to be different. So, we have to adopt. We have to look at the right technical innovation. There are lot of other things that are going on in the world. Right now. We're talking about TSN. We're talking about 5G from a connectivity standpoint, and all those things basically between OPC UA and MQTT. And the importance of what we're doing with ICONICS, we will leverage all these innovations to basically give you connectivity. And guess what we're doing. We're going to bridge the gap and basically have the OT to IT conversions and get information up to and back and forth. So, with that, I want to turn it over to Oliver, and I hope I didn't go too much over time. And we're going to talk about BACnet and the importance of BACnet Secure Connect with ICONICS.

[16:28] Oliver Gruner Corporate Account Director – Mitsubishi Electric

Thank you, Tom. I always appreciate your help and a great presentation. I wanted to switch from the industrial automation industry a little bit for one for short time into the building sector. And BACnet has been the standard in interoperability and communication and buildings. And now BACnet is adding a secure connect specification to that existing BACnet standard. Now, that's very much driven by large end users often from the government, and large end users because, and here's the reason for those of you who are not familiar with building networks because you might be from the automation space, is if you have/own a building network, let's say you're taking a GENESIS64 system that's considered an advanced workstation in BACnet terms, you install that and bring it on the BACnet system, you have complete access and control of this network. And the way it works is from an ICONICS system, and it happens with our BACnet connector, it sends out a request to all the devices out there and says, “Who is” and the BACnet controllers on the buildings respond with “I am”. And all of a sudden, we are auto populating the entire point databases out of these controllers. And you have read and write access, which is great for interoperability. That's why it's been so successful. 


But when it comes to security, it's a nightmare in our new world. So, this has now been addressed. And this is brand new and it's all the vendors; it's the Johnson Controls and the Honeywells and the Deltas of the world. They are working very hard to bring out new hardware. And so are we; we are connecting to that new hardware. And they are building in authentication and end to end encryption, the same concepts that you would know from any other IoT secure communication protocols, through encryption and authentication. There's nothing new to it, but it had to be part of the standard. So, what's new with our release 10.97.1 in November 2021 is we including BACnet Secure Connect. And so, we're going to have both versions in the ICONICS suite and in IoTWorX as well. So, we have the BACnet classic, and we have BACnet with Secure Connect. And one of the things you have to remember is you cannot use both at the same time. So, you can use one or the other. 


They have certain features that we are going to introduce in a future version with BACnet Secure Connect like trend objects, schedules, and BBMDs. But our first deployment will actually be a large one with customer with the Pentagon and Johnson Controls. So, there's a lot of testing going on currently making sure that this works properly. So, we're very excited about integrating this. But how does it really work? Because that's an interesting concept. 


When I explained earlier, when you have communications with classic BACnet, you have an ICONICS GENESIS64 system talk to a BACnet controller, so they are talking to each other. And they are now considered nodes. So BACnet is a node, and the building controller is a node and there's a hub in between that provides authentication encryption. They're using TLS for Transport Layer Security, and all of those standard technologies, security technologies built into that. But how does it work? So you are on the network, and an ICONICS advanced workstation as a node will make an outgoing authentication request to a hub. And that's brand new; that's a new concept within BACnet. And this hub is going to broker, that hub will then broker a secure connection to the building controller that we want to talk to. And that is read and write. And once this is established, then the GENESIS System and the building controller can talk directly to each other, and the hub is actually going to get out of the picture. That's important because otherwise it would be a bottleneck. We can’t have 1000s of tags, dozens of building controllers talking through one hub. It's not unmanageable, and it's not a good architecture. So once the secure connection is established, the hub gets out of the picture. So, there are different options and also failover. So, the hub can have a redundancy or failover component to it. But since the communication is secure, you can just have a hub, also just have the hub on your building network. But the hub could also be outside of the building network residing as a service in the cloud because the communications is secure. This makes it very interesting for testing because we are currently testing with multiple vendors, and we don't have any of the hardware in our building. We have remotely connected through that secure connection via BACnet Secure Connect making it very, very interesting architectures.

[2159] Mr. Oliver Gruner Corporate Account Director for Mitsubishi Electric

Great. That’s on our secure connectivity features that we have in the ICONICS suite. And now I wanted to present Ben Burke with Dispel. And he's going to take us through secure remote access and new technologies that only the Department of Defense used to have access to. So, Ben, thank you very much. Appreciate it.

[22:29] Ben Burke Chief Operating Officer for Dispel

Thank you, Oliver. I’ll quickly get my computer to set up for our demonstration later, so that way, we can jump right into it. Awesome, great. Well, hello, everyone. My name is Ben Burke, and in partnership with ICONICS and Mitsubishi Electric, I'm here today to talk about Remote Connectivity. More specifically, it's the efficiency demands that remote connectivity should be enabled, the security risks of enabling remote connectivity, and what you can do using a next generation moving target defense posture to mitigate those risks in your networks. A bit of background about Dispel. The company was founded in 2014; came out of the broader military industrial complex. We have offices in Austin, Texas, and New York City. What we do is we provide fast secure remote connectivity to industrial control networks. The industries we serve, we serve your peers. And really our core capability and our patented technology is launching these moving target defense networks. If I ever mentioned MTD, throughout this presentation, I'm referring to moving target defense. So, I'm talking about the shifting polymorphic networks that will help you protect yourself against the latest threats. Moving target defense is not a new concept. It was actually called for by the Executive Office of the President as early as 2011. So about three years before we ever showed up, and the goal was to increase complexity and cost for attackers to limit the exposure of known vulnerabilities and opportunities to exploit those vulnerabilities and thereby increase overall system resiliency. And this is against nation state level advanced persistent threats. Moving target defense has been used to great effect over the past decade in the Department of Defense. And of course, at first it was only available to the DoD, but today it is commercially available. We were the first commercial provider of moving target defense, and the goal the core principles of MTD are disposability and dynamism. It's the idea that you have nodes that you can throw away. How much more resilient is your system if you can rebuild it on the fly? And how much more difficult is it to find attack your system if it's moving over time. So, who uses Dispel? We work in OT. We were purpose built for operational environments, because that's water, wastewater utilities, power, oil and gas, government sectors, you name it. So, all of your peers, anybody with operational endpoints that needs to provide secure remote access to those endpoints can and should be using Dispel. We're not just adhering to the strictest cybersecurity frameworks; we're actually helping to find them. So, we work with NIST or the National Cybersecurity Center of Excellence to define pragmatic implementation guides for how you can better secure your operational environments. 


So, what do we? What are the concrete use cases for secure remote access remote connectivity writ large? The first is 24/7 operator access: whether you are in water quality control, and you're checking a system at 2 am. Or you're being called in an emergency situation to debug and fix a down production line. You have 24/7 access to get the best people to the job faster. If you have multiple facilities, you're now able to centralize the management of those facilities. The second use case: vendor access. We all have vendors; we all bring in vendors, in a constant refrain I hear from our customers is wanting to standardize the vendor access process. So how can you do that? How can you bring your vendor experts in, in a way that's fast and secure, in a method that you completely control? And we'll get more on that with some of our case studies today. And finally, secure data streaming: This is taking the data off the factory floor and getting it to the people that need it most. You guys all work with ICONICS. You know the efficiency gains, the importance of using your factory data. We add an extra layer to that transmission process. We add what I would call a disassociating factor. And a lot of our customers in the oil and gas space have commented to us that it's not just getting it there securely, it's that the content of that data can actually move markets. So, knowing that is important. So, if we can disassociate a from b, you adopt a more secure overall posture. So, what do we replace? And if you're using one of these, please talk to me.


The first thing is static VPN. This is kind of the industry standard and how most everybody has always gotten to their target networks. We're going to dig it on static VPNS a lot in today's conversation. The second is built for IT road access tools. The truth is they weren't built for operational environments; they weren't built to help your people get to problems faster. Your teams, your operational teams, are judged by how quickly they solve problems, not by how quickly they jump through IT access loops. Vendor install backdoors: there are some vendors like ICONICS that care deeply about your security. We've gone over a number of the different ways in which they're helping improve your security posture. Other vendors just don't care; they'll drop a cellular backdrop into your network, and that's now a pivot point through which someone can move laterally to deploy ransomware or other remote code execution. For shadow IT: I encourage all of you to take a walk through your factory floors and just take note of the applications on some of those workstations. It's, “Well geez, we needed access fast, so we installed this free licensed software”. And now the guy got in; well great: them and everybody else. And then finally, the last two is really the cost sinkholes, so shipping laptops to vendors. Static VPNs: we know that they don't really work. Some use jump hosts; others will ship you a laptop because you do not trust the person connected to your network. You want to control that as much as possible. So, you wind up being not only a chemicals manufacturing company, but also a laptop inventory warehouse. It doesn't really work at scale. And then finally, obviously driving/flying on site. That just means that your turnaround time on maintenance, debugging, or even patching and updating might extend weeks when it should only take hours. How are we different? Next generation moving target defense: we're going to talk about that. Next, we align with the frameworks that you work with whether that's NIST 853 800-160. Volume Two is the latest one. The CSF, if you're in Europe, IEC 62443. So, you name it, we work with it. We help you align to those frameworks, so that way you can feel more confident about your profile. Zero trust networking access: Zero trust does not just mean that you only gain access to things you're supposed to. It also means when you're not supposed to be there, you don't get to be there. You get kicked out. So proactively deactivating accounts. Disposable single tenant infrastructure: I mentioned disposability as a key concept in moving target defense. It's the idea that you don't trust a device, an endpoint connected to your network after one day. Let's throw it away. And let's build a new one with the latest security patches and updates. Let's not worry about “Did you remember to patch it?” Let me take care of that for you. Full segmentation between corporate and OT environments: this is going to be a huge point in the Colonial Pipeline case study. But your OT network is where you make all your money. It builds your systems; you should give it its own access point. And then finally, visibility and auditability. We hear from so many customers that there are blind spots in remote access. How do I know what somebody did when they were there? We help you eliminate those blind spots and gain full accountability over everybody's actions. 


Static defense: the best way I can describe it to you is a sandcastle. You and your team, you're constantly building taller, thicker walls, but there are waves of attacks coming at you from all sides all the time. The problem is your sandcastle never moves. So, one of these days, one of those waves is going to find a way to break down the core integrity of your defenses and ruin your day. A traditional method for this is static VPNs. That static VPN concentrator is sitting there. Everyone else is connecting to it. So, you're painting a target profile. And remember, we're not just dealing with your run of the mill attackers; we are dealing with advanced persistent threats. You guys are running critical infrastructure. These are very valuable targets. So, they're going to take the time to figure out what kind of VPN you're using and where it exists. What are the patterns of life that people are going to use to connect to it? And they're going to say, “Great. Well, I know it's a pretty big month for you. Maybe Christmas coming up to produce a lot of widgets. And so, I'm going to then pick that one time to ransom, to find the way in you didn't patch it yet. And I'm going to find a way and in and ransomware your networks.” Moving Target Defense takes the idea of a sandcastle and turns it into a submarine. We have that hardened, airtight shell. We push the perimeter out though and make it dynamic. So now it's going to proactively evade enemy reconnaissance, and reconnaissance is about 90% of any attack against any network.


What does that look like? It's a much more complicated slide. But I can tell you that that entire purple box you see her;, that's all handled by Dispel or another moving target defense provider. We're taking care of the complexity of bouncing that information around for you, so that you don't have to think about it. I know you see a lot of different cloud providers in this slide. I want to just quickly comment on that. That's because we deploy in over 200 global data centers across a number of different cloud providers. We can build your infrastructure where you need it to be, so it's the most performant for you. And then we also have, and you'll see on my right side, the virtual desktop, so we have disposable virtual desktops that your users will connect to, your vendors will connect to ahead of getting to your endpoints. Think of them like a doctor walking into the OR: they're going to put on their disposable gloves before working with a patient. That way, you know at the end of it, it can be taken off and thrown away. So that's kind of the idea of mood or defense. 


Let's look now at the cost of an unsecure remote access platform. And I want to look at three case studies. But first I want to talk about in 2020, about 50% of organizations reported a data breach caused by a vendor at an average of seven and a half million dollars to remediate. My point in telling you that number is not to have you say, “Great, I'm going stick my head in the sand. That's it, no Remote Connectivity, anywhere.” That would be tantamount to your running 100-meter race, and you're going to run it with a potato sack on your legs and watch your competitors speed on by because they're doing all the right things. They're getting all that information, all the benefits of remote connectivity, where you've decided to just turn it off. The thing is, remote connectivity is here to stay; we have to be thoughtful about how we can best secure that process while taking advantage of those efficiency gains. So, looking at our use cases, let's jump into the first one, a large automation vendor. The attack was called Modipwn; the cost, it did require direct level access. So, it may have been exploited amongst different organizations, but I do not know. The method, so Tom mentioned earlier the idea of message spoofing. That's exactly what happened in this case. Attackers were sending unauthorized commands to a chipset, to the Modipwn chipset. And that then leaked hashed information. They then took that hashed information and applied it to gain command and control over the chip itself, so that way they could perform remote code execution. They could install their own sets of malware, and they can then move laterally from there and spread across the entire network because of course, that chip is probably trusted amongst its peers. 


So, what could you do different? And that's what that acronym spells out? It's “what could you do different”? The first is, remember, automation tools weren't built for security. Many of them are, if not 5, then 15, and I'm not going say 50, but they're old. And they're still useful. They're still being used. So, you need to create a layer around those vulnerable devices. Back to our DOD side of things. They're saying, “Well, listen, we know there are some known exploits. How can you limit the attack surface that somebody can use against it?” So, the answer is you have to strictly control access, not just at a per user level, but at a port and protocol level because I can then see if you're sending unauthorized commands over a certain protocol that you really shouldn't be sending. And I'll reiterate that moving target defense allows you to push the edge of this perimeter into the cloud. We're able to then defend proactively, so that way malicious data never actually gets to your network. Remember, an important concept in this attack being utilized was direct network access. 


Our second case study: JBS food group; the attack was ransomware. The cost was $11 million in ransom. So, what I want to talk about here is remember that your attackers are taking time. They are patient, and they will find a way in. Before this attack ever took place, an attacker spent about two or three months scoping it out, performing reconnaissance. And how does one perform reconnaissance? Well, we're looking for exploitable nodes on the open Internet. Common nodes are the ones that you're using, right? If you've ever Remote Desktop to a different windows server, if you're using VNC, virtual network connection, to connect to different downstream servers, you name it. And of course, the Hallmark static VPN 's, the static virtual private networks. The first step is always reconnaissance. That's what happened here. And in Australia and in Brazil, they found a few nodes that they could exploit. The exact attack profile is not known, but they found some exploitable nodes. They downloaded a whole bunch of data. And when they were ready, once they had taken what they wanted, they then put in a ransomware attack and shut down food production or meat production in Australia and Brazil.


So, what could you do different? First, if you do have any OT devices that have external access, please stop. Please take them offline. And that will include different backdoors. Those cell chips, make sure that if your vendors are connecting to your network that you control that process, and you've talked to them about security. The second is adopt more access tools that are proactively patching themselves. You can't keep up with patching every single node in your infrastructure, so you need to have somebody that does that for you without sacrificing uptime. And then three the whole point of reconnaissance is to frustrate attackers. Again, nation state level attacks are at the reconnaissance phase, making it very, very expensive and time consuming to find you. 


The final case study Colonial Pipeline. The attack again was ransomware at a cost of almost four and a half million dollars. They did recoup a lot of that though about two and a half million dollars, the FBI got back. But of course, all of us felt that at the gas pump. When for the first time in four years, the National Gas average rose above $3. I don't know about you guys, but in Massachusetts, it's still above $3. So still feeling the effects of that. So, what happened? Well, this is kind of the clear case study in what not to do. Attackers found a dark web password on an unused but still enabled VPN account. And that VPN account did not have multi-factor authentication. They then use that brute force password to get into the network, at which point, they simply just deployed ransomware everywhere they could find because Colonial had a very flat network hierarchy. Even worse, they had a network that the corporate and OT networks meshed a little too closely. Semi permeable is not even the right word to describe it. And so, at which point you don't have somebody in the operations room say, “There is ransomware in our corporate network. We can't afford to recover from that, so we're going to, as a precaution, shut down the pipeline.” And that's what they did. And then they went and paid the ransom to then turn things back on. 


So, what can you do different? The first strict segmentation of IT and OT networks; we talked about that a bit. The second is MFA, that's multi-factor authentication: enable it and enforce it. We heard Oliver talk earlier about how ICONICS has MFA so do things to turn on that second level of access requirement. And then finally, use a remote access tool that deactivates accounts once they're done. We have project specific windows during which people can access your network. Turn it off after that; don't have these lingering accounts that might come back to bite you. So, at this stage, I've talked a lot about cybersecurity, all the things that could go wrong, what you could do different. But I want to remember something in the IT OT space; you need a remote access tool that prioritizes operational efficiency. Because at the end of the day, the guy at the front-line cares about how quickly he gets to the problem, to get his manufacturing line back up and running. So, we say his remote access systems, they're not cybersecurity tools. They are efficiency tools with cybersecurity requirements. So, when we think about this from a connection time perspective, you can have that unsecure RDP connection, Remote Desktop Connection. It might take you three to five seconds. You can have a secure connection, jumping through jump hosts, what have you, that might take you 7 to 12 minutes. Neither one of those is an acceptable outcome. What you want is a solution that aligns to the most secure frameworks but gets you to the problem, gets your best people to the problem in less than 30 seconds. So that way, they can actually recover from any other events. Because what we're trying to do is reduce your mean time to recovery. How quickly can you recover from an incident? And how do you know you're doing that in as secure manner as possible? You're limiting windshield time, right? People aren't driving or flying to the site; people aren't spending too much time jumping through those 7 to 12 minutes of hoops. You're taking advantage of production data; you're able to get data more competently off your system, and then get the right people in. And finally, we talk about getting the best people to the problem faster, whether that's a vendor, or whether that's an operations team and engineering team halfway around the world. You get your best people there as quickly as possible. To put this in real dollars and cents. This is just a made-up numbers. If you work at a 24/7 facility, and you make $125 million a year, you're producing about $238 per minute. That's how that math works out. If you're wasting that 12-minute downtime plus three minutes fixing the problem, that 15-minute downtime incident or delay will cost your organization over $3,500. So that that time that those seconds matter, in OT environments.


In terms of developing and building out real ROI for this, one of our customer case studies, Connecticut water, they improve the efficiency of their connections by 87%. That's their service delivery guys. That's their water control guys at 2 am connecting into the network and figuring out what's going on. And between that and eliminating the other remote access tools that they had previously put in place. They spun down some 150 or 200 jump hosts in the process, saving them almost a million dollars between FTE time because it's like $24 an hour for service delivery employee in Connecticut. And so that investment ROI then speaks for itself. Great. So that's most of the introduction to remote access. I'm now going to invite Yuki Shimizu up to the stage, and we're going to give you a live demonstration.

{42:11] Yuki Shimizu Application Engineer for Mitsubishi Electric North American Development Center

Thank you, Ben. Hello everyone. I'm Yuki Shimizu Application Engineer for Mitsubishi Electric North American Development Center. I'm responsible for commercializing the internal IDT solution of Mitsubishi Electric hardware and ICONICS platform as our partner. So, today, I like to focus on remote secure connection operation system for industrial automation system. So, our goal of this demonstration is to control this OT system remotely through Dispel moving target defense secure system in client system. Actually, at the end of this demonstration, you will see remote operator Ben will control this crane system through Dispel MTD network. Alright, I'd like to talk about more so system diagram with that. And actually, there are two sections of this system diagram: first on-premises OT network. Shown here we have a first Mitsubishi Electric industry PC we call MELIPC MI 2000 already equipped with ICONICS edge software IoTWorX and also this very remote access software as well. Also, we have a Mitsubishi Electric program logic controller, we call Mitsubishi Electric IQL PLC, and which is responsible for control this client system. Of course, this client system is going to be controlled by PLC program. And the second part is you can see the left side of this diagram, we have remote access sections. So first, Ben will tell us Dispel to connect to virtual desktop and which is connected to moving target defense. And also, here we are accessed to IoTWorX in this middle IPC. Alright, okay, let's move on to demo step. Ben, please show us on admin console system with your admin account. Let's login with your password and multi factor authentication.

[44:35] Mr. Ben Burke Chief Operating Officer for Dispel

Perfect, I'm going to log in with my username, my admin user account, and password and MFA.

[44:47] Yuki Shimizu 

Great. Okay, now we can see ICONICS Conference Connect 2021 Moving Target defense network. And now we can see also our infrastructure in the map although in the New England area. And we have also our so virtual network resources, and also username code ICONICS Connect 2021 with VDI users. This VDI user is already allowed IoT access to the IoTWorX system.

[45:24] Ben Burke

And this is to reemphasize that point of per user per protocol access to different endpoints. So, in this case, we're getting that IoTWorX visualizer. Inside the EMI 2000. And this user is able to get there through a series of ports and protocols, and only those ports and protocols.

[45:41] Yuki Shimizu

Right. Thank you, Ben. Why didn't you put on your operator hat? Now he's an operator. Okay, well, let's show our connection process for virtual desktop as an operator standpoint. With your password and multi-factor authentication as well. 

[46:02] Ben Burke

And I will mention again, MFA is enforceable on all of our systems. So that way you can be sure anybody connected to your network has to use MFA to get in, multi-factor authentication to get in.

[46:17] Yuki Shimizu

Yep, like that. Okay, after logging process, we need to take a couple of steps as our remote access form. At first confirm your identity. And give a reason for access. And also give a timeframe for your access.

[46:43] Ben Burke

Let's say end the day Friday, yes, who knows there might be something that comes up.

[46:51] Yuki Shimizu

And submit and request form as a final step. Nice. So important things after that step: Authorized admin must confirm this. Please show us Ben on the admin console again. And please upload it.

[47:15] Ben Burke

And I want to reiterate that this is all about creating a window of opportunity through which you can connect to a network. So, at the end of that October 1 at 5pm, I will be kicked out of the network, and I'll be suspended until I re-request access. So, we're controlling the time window through which you can request access. And again, as the administrator view, I'm able to approve that because I'm in an already authenticated session. If I was not logged in, I'd have to log in at this point.

[47:42] Yuki Shimizu

All right, that means now we are ready to access virtual desktop from operating system. This will go into the VDI, virtual desktop.

[47:55] Ben Burke

And I will mention that in the backend, these are all being sent by email as well. But we don't always trust email in the operational environment because it might be slow. So that's why you have that fallback URL that I shared with my administrator account. And it's important to remember that throughout this virtual desktop that I'm connecting to the moving target defense network that I'm going to be pre-networked through. That's all cloud based. That's all things that Dispel has taken care of. And we're trying to get to that MIT 2000 because it's through that MIT 2000 IoTWorX that we're going to control the crane. So let me jump in.

[48:34] Yuki Shimizu

Okay, jump into your virtual desktop. And then we can quickly to access IoTWorX system. And let's open a browser to open IoT visualizer to control the crane. Perfect. Okay, just input the address of this IPC. Now, I want to work “console is coming”. And just click visualizer. And we have already a good template; we call Connect 2021 Dashboard. Now you can see the simple dashboard to control system. Let's click the “Turn Right”, also “Turn Left”. You can see also the status in the top side. One more time again “Turn Left”. Now we can push our “Demo Go”. So now we can control anything that's through Dispel moving target defense network.

[49:47] Ben Burke

And again, just to reiterate: the entire process is fully audited and recorded. So, when you got access, who granted you access, straight through all the way to what you did on the virtual desktop, you can get full screen recording, full traffic logs, so that way you eliminate any blind spot of any session where someone is remotely accessing your network. And I do want to mention that we might have jumped out to a virtual instruction, the cloud, but you are able to get direct level access to control things securely in a way that you control now every step of the process. 

[50:18] Yuki Shimizu

Right, thank you Ben.

[50:21] Mr. Oliver Gruner Corporate Account Director for Mitsubishi Electric 

Thank you very much Yuki and Ben, great job. Really appreciate it. Excellent demo. So, at this point, we just want to play a short promotional Dispel video

[ 50:36] to [52:14] Dispel Promotional Video

[53:15] Mr. Oliver Gruner Corporate Account Director for Mitsubishi Electric

Hey, thank you very much, Melissa, for joining us. I think we're moving into the Q&A session. You got all your panel members lined up, Melissa, so let's hear some of the questions coming in from the online community.

[52:29] Ms. Melissa Topp ICONICS Senior Director of Global Marketing

Sure, absolutely. So, we’ve got a number of great questions here. Thank you everyone for submitting them through Attendee Hub. I think have a pretty good idea to whom each question should be posed to. Let's start. This one sounds like a good one for Ben, ”Is it possible to deploy the cloud infrastructure in our own cloud accounts?”

[52:55] Mr. Ben Burke Chief Operating Officer for Dispel

Yes, absolutely. We can deploy again, across cloud providers in over 200 global data centers. And we can use your cloud accounts, your Cloud credentials to deploy. And actually, we offer a discount for doing so. So totally.

[53:11] Melissa Topp

Sounds good. Thank you. Another one for Ben, “You mentioned this should be used instead of a static VPN, but that's been the standard for so long. Why is moving target defense more secure?”

[53:27] Ben Burke 

Yeah, it really kind of breaks down to three components. The first is that sandcastle mentality. So, it's not painting a target profile on your back and your organization's networks back. The second is really the direct access to your operational environment. If you then don't trust the endpoint coming into your network, giving them direct network level access is opening the door for whatever they have on their computer to come in alongside it. And then the third is just the administrative overhead. Right? So, it's, how much effort does it take to grant someone access? Is that a one-hour process, a one day process, a one month process? I've heard it can get hairy out there. So, it's how do you simplify and standardize that process? So that way IT security is already on board with what you're doing? And you can get, you can process things much more quickly. And then in the backend, you're automatically removing people when their job is done.

[54:23] Melissa Topp

Very cool. Thanks, Ben. This sounds like a good one for Oliver. “Is ICONICS working on IEC 62 443 certification?” I know Ben mentioned some other types of standards but didn't hear that one. So the audience would like to know.

[54:42] Oliver Gruner 

That's a good question, and ICONICS is working on that. And there are multiple phases that go with it. Our parent company, Mitsubishi Electric at the Nagoya works location, they have gone through an IEC certification which is basically the process of how you code and how you handle secure data transfer. So that's how Nagoya Works has done, and we are following that. And we are planning on finishing this up by the spring of next year. And once we have this first phase done, then we are going to look into how do we apply the certification for our actually the products that we release? That is going to come out a second step later after that.

[55:31] Melissa Topp

Very nice. Thanks, Oliver. Next question. Oh, this was an interesting one. “So, you described pretty well, Ben, how the system worked for controlling operator access? Could it work in a similar way for controlling vendor access as well? And how's the process different for vendors?”

[55:53] Ben Burke

Yeah, I would say that our goal is to standardize how both operators and vendors are going to enter a network. So that way, you're not thinking of too many different processes, and you're applying the strictest controls you can to both parties. So, the vendor process would work exactly the same way. You saw my operator access work; it's just that there are some operator accounts that don’t need the same level session recording. But it's really up to whatever the balance of security that you want to enact. I recommend everyone be recorded. But that that's really up to you.

[56:28] Melissa Topp

Fair enough. Thanks, Ben. Another one for you. I was curious about this one, too. “Can you explain what you mean by disposable when talking about virtual desktops? Why does that help from a security standpoint?”

[56:43] Ben Burke

Yeah, so the key component of disposable infrastructure, like the virtual desktop I connected to, that one will be destroyed at the end of today. And a fresh new virtual desktop will be built. We do provide full customization of our virtual desktop so that way, whether it's GENESIS64 or other tools you need on the virtual desktop. A lot of common ones would be SSH or RDP itself. We’ll make sure those applications are on a golden template of the virtual desktop, so that way each time it's been built, all the tools you need are there. But by throwing away that desktop each day, think of it like the submarine, I've now moved that submarine on a daily basis. So, anybody who thought someone was connected to your network through IP address XYZ now has no idea where you are today. So that's really the idea of disposability. I would also add that it allows us to build from a known clean, golden image, so that way, there is no chance for any kind of latent malware or anything else to be there. And we also are automatically applying the latest security patches and updates all throughout that process. So, we're taking care of all that. You don't have to think about it.

[57:47] Melissa Topp 

That makes perfect sense. Thanks, Ben. We got one for you, Tom, “You talked about talk Takebishi and OPC servers; someone wants to know what makes OPC UA a secure piece of the puzzle?”

[58:00] Mr. Tom Burke Global Director of Industry Partnerships for ICONICS

Well, and it's so important. We also have Dispel, and we have everything built in the architecture because OPC UA is secure by design. But that's only one small part of the interaction between the client and server, the publish subscriber. In order to do remote access, you need Dispel so it's just part of it. But OPC UA is essentially monitoring all the certs all the time basically, and making sure that they're addressing the different things that go on. Security, by definition is a moving target; you've got to constantly be looking at the different things that you need to address. And the whole concept of being virtual and things like that and swapping that thing out at the end. The whole concept is eliminating access where people shouldn't have access. So OPC is very conscious of this; they're working with all the industry standards from an international perspective. But you still need a complete infrastructure, and things like Dispel play a very integral part into the solution to address the cyber security flaws of today and tomorrow.

[59:04] Melissa Topp

Absolutely. One more for Ben. We'll see if we have time for any others after that. “What does a normal installation look like? That made me chuckle; what's normal anyway?

[59:17] Ben Burke

Yeah. No network is ever normal. I guess I'll start with that. But as you can see, even with the EMI 2000, we can deploy as a piece of hardware or virtual appliance. So, in this case, is a virtual appliance living inside the EMI 2000. That’s the only local on-premises requirement. We will need one outbound firewall rule. So again, that's an outbound only connection. There are no inbound firewall rules. And from there, it will proactively connect out to a moving target defense network and then act as a gateway at the edge of your network to provide access to downstream endpoints. We will require a bit of knowledge about some of the routing in your manufacturing network. So, you'll have to come equipped with that. But for most of our customers, the process takes about an hour and a half. And then another hour of training. And you're on your way.

[1:00:10] Melissa Topp

Nice. You mentioned the word downstream there in your last response. Funny because the next question this person wants to know, “Do you work in Downstream oil?

[1:00:22] Ben Burke

Yes, yes. So, we work by across a number of industry verticals, oil and gas downstream, upstream, midstream, all the streams, but we also work in water & wastewater, basically, anybody with a critical environment. Specifically in downstream, we've had a lot more interest in the idea of remote data connectivity. So, it's getting historian data; it's getting data off the factory floor to the people that need it. How do you do that in a secure manner and also in a way that disassociate the parties?

[1:00:52] Melissa Topp

Thank you very much. That wraps our Q&A session for now. I wanted to take a moment to thank you guys for being here with us today and entertaining all the audience’s questions and to wrap up, I’d like to ask to bring up the video from our session’s sponsor Takebishi. 

[1:01:15] to [1:03:16] Takebishi Video Promotion

[1:03:18] Paul Carter ICONICS Mid-Atlantic Business Development Manager

Well, welcome back everybody to the newsroom. We just had an opportunity to sit through a couple of interesting breakout sessions. I attended the Safeguarding Against Cyber Threats with Secure Data Connectivity. And Mark. 

[1:03:37] Mark Fountain ICONICS Business Development Manager

I attended the CFSWorX. Some wonderful, wonderful; it's quite good. One thing we should bring up quickly is that we do have a couple more breakout sessions coming up soon. And if anyone has any questions on that, we can go back through some of that in a few minutes and make sure they can join it. 

[1:04:00] Paul Carter

While we're here, kind of rambling along, everybody's welcome to take a break and take a bio break and get ready for the last half of the day because we will have the sessions that that Mark mentioned. Then we'll also have a panel discussion. So please feel free to submit questions for the panel discussion if you’d like, but that's coming up as well as afternoon.

[1:04:19] Mark Fountain

So, tell us, what did you learn in the session you attended?

[1:04:24] Paul Carter 

So, one of the things that, obviously, we talked about some of the new enhancements in communications that are going on, but probably the more interesting thing was that one of the things that everybody thought was the way to secure networks using VPNs, kind of got blown up. And they and they introduced a new concept called moving target detection. And it's a whole new concept in the way that they establish secure connection for remote workers and remote connectivity and are our sponsor company Dispel has a really nice solution for that. And they've been very, very successful with many large critical infrastructure type industries such as oil and gas, water and wastewater, and a lot of the technology comes out of the Department of Defense. So really, a very interesting presentation in what they're doing to allow the new normal remote workers to connect into the systems. And then just for things that were introduced there's a little conversation about Sparkplug B. Tom Burke shared with us some information about Sparkplug B which is becoming an adopted standard for a lot of industrial automation using IoT. And Oliver Gruner introduced to us the new secure connection, BacNet SC, which I thought was very interesting. Some really interesting things going on there as well.

[1:05:40] Mark Fountain

Excellent, excellent. Well, I had the opportunity to join the Connected Field Service Worker session, and it was a quite good as well. One of the things that came out to me was the whole concept is the point might be the fact that they want to extend the reach of an existing system. And along that line also be able to provide real time feedback. So, in other words, this whole concept of having somebody remote and be able to get the job done now, rather than have to wait because if you think at some of the constraints that typically we have. You have somebody in an office; they're waiting to hear something about what’s going on and prior to the pandemic, you had these people that might be sitting in an office, “Oops, I got an alarm, or I've got an issue. I going to go out to the field. Oh, I see something. Now I got to go back to the office to get something fixed”. So, you're wasting a ton of time on there. So, the concept behind here is to be able to extend that network and take a field worker who's already out there who might have a particular job that he's doing now. Let's not overburden him. But if we have the right person at the right place at the right time. Let's put them on the job.

[1:06:56] Paul Carter

Absolutely. Yeah. Makes perfect sense. 

[1:06:58] Mark Fountain

And included in that session was also a reference to Lake City's Municipal, which is just north of Dallas. And it was it was done by Impact Automation with Shane Stevens out there. And what they have, which I thought was kind of unique, was they have a smaller municipal system. It's freshwater wastewater, and it basically serves three cities. The interesting point of that though, is the fact that they had a pretty small workforce. So, because of that, they needed to already have some kind of a mobile thing. 

[1:07:38] Paul Carter

So, they connect in North Texas. If you're familiar with that area of the country, it's pretty wide-open country. There's a lot of land out there so to have remote workers is probably pretty common. 

[1:07:45] Mark Fountain

Yeah, exactly. And where there isn't wide open space down there, there's a lot of traffic. Okay so the gist of this is to take the GENESIS64 application and add this using a mobile HMI app, connect and have a secure connection using something like HTTPS, things of that nature. And then if you'd like, you could use third party apps like WhatsApp, Twilio, and things like that. The key point is there should be VoIP which is the tenure we want to use.

[1:08:29] Paul Carter

Sure. Interesting. I think What’s App is end to end encrypted. I think that's correct. Well, I'm not claiming to be a WhatsApp expert, but I believe it's encrypted. So, it's kind of interesting; all of these new things and new stuff going on, all lead back to Ted’s comments this morning about the new normal. All of a sudden, the new normal is not what it used to be. If you describe the worker who's probably in an office, who goes out and figures out what's going on and has to come back to get parts of something, and all that type of stuff. That's not the new normal anymore. There's a different normal, and we're all living it. We're all dealing with it; we're all working with it. So, it's just part of part of what's happening in life.

[1:09:12] Mark Fountain

Right. And I think it may, in some ways it may have kick started some of the motivation to move this type of technology forward.

[1:09:19] Paul Carter

Oh, absolutely. Sure. What's the what's the purpose for having a truly connected field service worker if there's no motivation for it, right. So, it'll be interesting to see how these technologies get adopted as they go forward. Really, really powerful stuff. And obviously the more dispersed we get, the more challenging security becomes and so leads back to all the other secure communications and this moving target defense is supposed to help protect from intruders getting into the network and finding weak points in the networks and finding ways to get around.

[1:09:51] Mark Fountain 

I liked his analogy of the submarine moving. 

[1:09:54] Paul Carter

Yeah, He actually used to two analogies. One was the kind of the static VPN being a sandcastle. Sooner or later waves going to come in and overwhelm the sandcastle because it's static. It just stays there. We keep building stuff on top of it. While if we use a submarine, we're totally sealed up, isolated away, and it keeps moving around. So, you never know where it's going to be or where it's going to show up. So, it really is kind of interesting. Very, very interesting. Especially if you understand submarines. 

[1:10:21] Mark Fountain

And one of the other things that I talked about in the Connected Field Service Worker is the idea of integrating maps. So, think of one of the examples of geo-fencing. So, the concept there is being able to create a virtual fence, if you will, and set up a perimeter on that. And to be able to tell if ‘A” if someone's crossed the line, or “B” if there's an issue in that particular one. And essentially, what we're talking about is looking at alarms and events. When we talked about an alarm, in our jargon, what we're looking at is an OPC UA A and E, is really what we're looking at. So, I just wanted to point that out to make sure we clarified when we talk about alarming, that's where ICONICS is coming from.

[1:11:25] Paul Carter

Interesting. I think the geo-fence probably has some other functionality as well. Again, when you have a dispersed workforce, you want to know where they are when they under certain areas and stuff. It'll be interesting to see how the creativity and imagination of people use that functionality.

[1:11:44] Mark Fountain

Well, and I think that's going back to some of the earlier things we talked about our partners and the tool sets that ICONICS provides. I think we depend on these partners to provide this creativity them. And I would point out that a lot of some of the better aspects of our products have come from partner requests. And the key to that is to make sure it's not a one-off. It's something across the board. So, it's not something that's hard to support, but we can grow on it. And that's part of us working with our partners.

[1:12:19] Paul Carter

So, for those of you not familiar with ICONICS, ICONICS does things called Voice of the Customer. And they take a look at all the technical support cases that come in every quarter. And they sit down, and they have a review meeting, and they look at all these different types of things. And there's a lot of information that comes out of those types of sessions that allows a new feature to be added to the product. And the building of the new feature is important because it's not a custom feature. It's a new feature. And when it's a new feature, it's supported in future revs, in future evolutions of the product. And it prevents our customers from getting stranded in an application and getting orphaned in an application. And those things can be very important for companies trying to maintain synergies of their systems, especially as they upgrade over time. Because as we all know, a lot of these systems once they're installed, they're there for many years, sometimes that decade. They're there a long time. 

[1:13:19] Mark Fountain 

So, we're going to show a couple more videos, but I did want to point out again that around 2:45 pm we're going to be moving to the next two breakout sessions. 

[1:13:48] Paul Carter

So, we got two more breakouts this afternoon that everybody's going to have an opportunity enjoy. And if you've heard something that one of us has said about one of the sessions that we went to and want to learn more about that, remember that everything is being recorded. And all of the attendees are going to have access to the recording after the session. So, you can go back in and if there's a product related feature something that's discussed, and you'd like to learn more about it, contact your local ICONICS person, and they'd be more than happy to get the right resources involved to have whatever conversation you need to fully understand to do with the new resource. 

[1:14:25] Mark Fountain

Absolutely. Please I want to reiterate the fact that if you've got questions newer online, please feel free to send in those questions because if we can get those questions answered right away by the people that are presenting, you're going to get a quick answer. 

[1:14:44] Paul Carter

Also, just so you're aware behind the scenes, all the questions are being compiled for the panel that will take place at the end of Connect 2021 today, so there is a panel discussion coming up and a lot of those questions are going to be presented to the panel. So, you're going to be able to speak directly to the keynote speakers today in the panel session. So, a lot of good stuff still to come. Even though it's been a pretty full day so far.

[1:15:12] Mark Fountain

We've got two more breakout sessions coming up. The first one is Streamlining Operations for a Sustainable Future and the second one is Riding the IT OT wave: IoT Digital Twins, and Computing on the Edge. That will be coming up around 2:45 pm. Paul and I are going to take a break in just a moment. We'll talk a little bit more about these two upcoming sessions.

[1:15:38\ Paul Carter 

Just so you're aware: the Streamlining Operations for Sustainable Future session will be hosted by Zhi Wei Li, and Zhi is leading a lot of our innovation efforts. I've always found Zhi to be a very interesting and informative speaker and amazingly creative in his development of dashboards and other types of technologies and how to use the ICONICS toolset. I'm sure Zhi will not disappoint. I've been on multiple calls with Zhi’s customers. Yeah, He's brilliant. He's brilliant.

[1:16:19] Mark Fountain 

He's brilliant. We all sit back and listen. We learn every time we talked to him. And then the Riding the IT OT Wave: IoT Digital Twins and Computing at the Edge is going to be led off by one of our newer employees Spyros Sakellariadis. Spyros comes to us from Microsoft, and he has helped Microsoft customers deploy IoT applications in the Microsoft systems. I think Spyros is going to be very interesting as well. 

1:17:08 Paul Carter

Thanks. We'll see you soon.