Chris Ganacoplos with Preforce and Tim Schilbach with Penacity

SUMMARY KEYWORDS

people, organization, industrial, tim, chris, technology, policy, environment, perforce, security, baselines, compliance, corporate governance, infrastructure, connected, work, focused, talk, culture, call

00:00

Scott. Welcome to the Industrial Talk podcast with Scott. MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots and let's go all right, once

00:22

again. Welcome to Industrial Talk. Thank you very much for joining the number one industrial platform in the universe that celebrates industry professionals all around the world. You are bold, brave, you dare greatly, you innovate, you collaborate. See, I said, collaborate in that. And you are solving problems each and every day, making the world a better place. That's why we celebrate you on Industrial Talk. We're also broadcasting from OMG Reston, Virginia is the location. This is Q1 meeting. They have four as you can tell, because there's four quarters in the year. So this is Q1 and it is a collection of problem solvers, people who debate and die on hills. We were having that conversation prior to this conversation. So we have two in this seat, Chris and Tim. They are in the hot seat. So let's get cracking.

01:10

So how you guys doing phenomenal. I

01:13

mean, where else would you want to be right now?

01:14

Don't you think this is I love resting. But did you go out there and just sort of wander around the little walking area. Have you been down out there? Oh, absolutely. I

01:24

used to live in this area, actually. Did

01:25

you How come it's so quiet? Well, it's not

01:28

buzzing. It's like,

01:29

I mean, I can walk across the street knowing full well I'm not

01:32

going to get hit. Wait to 4pm it'll be a whole different place. Is

01:35

it okay? Because I I'll hold you to Tim, what do you call home now too.

01:41

I'm out of Pasadena, Maryland now.

01:43

Oh No kidding, yeah,

01:45

the other Pasadena,

01:46

I was just getting ready when you said, Pasadena, I

01:48

was like, oh, California, yeah, you know, I

01:51

was already there. I

01:52

mean, same place as the bastion of technology in Maryland. Not really a lot of boats, so.

01:56

But it's true. That's true. Yeah, all right, for the listeners out there, let's give it a little background on you both. Starting with you, Chris, give us a little background on who you are.

02:05

Yeah, hey everybody. This is Chris Ganacoplos, and I've been with Perforce, company that is focused on dev SEC ops. So we're out there trying to help people understand how to navigate the DevOps tool chain, as well as solve for problems across the way we focus in on understanding continuous compliance and standards. I'm also a member here of the CISC governing board, and yeah, Proud member to help people keep pushing standards out across OMG. So thanks.

02:38

Devsecops, development, security operations, is

02:43

that what we call that would be it. There you go. I was just gonna say, No, don't go down

02:49

there without me catching you, because I'm not the sharpest all the things together. Yeah, right, because it's so difficult to call it the villain. Security Operations, all right, Tim, you're next.

02:59

Hi everybody. I'm Dr Timothy Schilbach. I'm actually a the president and owner of Penacity LLC. We are strategic partners with Perforce, and we've come together to really try to automate the hardest part of security, right? And so that's the conversation we're wanting to have. Our background, or my background, is 30 years in the military, specifically as a military offensive security specialist. That's just a fancy way of saying hacker, yeah. And I specialize in hacking industrial security systems. So I work a lot with nuclear power, generation, maritime shipping, rail systems, you name it. It's a lot of critical infrastructure stuff that we got

03:38

and work with Yeah, so that, because I have a list of questions, which I won't follow, just FYI, they gave them to me. You gave them to them, and then, and there's, there's lengthy stuff, so I'm not going to do that, but I get the gist. And one of the things that talked about this, I continuous education, compliance stance. It's changes so drastically and dramatically so rapidly, right? I put a lot of words there. I did it. And when we started talking about critical infrastructure, I just, I was just broadcasting from distribute tech, which is a utility centric grid, you know, major infrastructure type of stuff and security was talked about. So with that, Chris, talk a little bit about just sort of lay the playing field. What? What is CMM, a, CMM, C, right to Dotto, what is it? Yeah,

04:35

so, I mean, I have the expert right here on CMMC. So

04:39

what should I just sort of shift that question to Tim and go ahead, go for it. Absolutely

04:45

sorry about that, Chris. You should have just sort of stepped up and said, Do you think that's right? When

04:51

you have a doctor by your side, you go with the doctor. There

04:54

you go. Right. Yeah. So CMMC, it's a cyber Maturity Model certification and. The government has actually cooked that up because, well, as you know, there's a lot of adversaries of the federal government and US military, and they want our secrets. At the end of the day, who has our secrets? Well, our industrial partners out there called the defense industrial base. So they're the people who manufacture everything you can think of. And when you think of the defense industrial base. You were actually really the face of them is, I know you think the big, big names out there, like Booz Allen and Leidos and sea and these big, big, great giants and juggernaut companies, but behind those are 80% of the platform is really small businesses, small manufacturing organizations, small warehousing organizations, very small businesses at the end of the day. So cmmc was really brought about in order to solve the problem of proliferation of our industrial secrets. Think like our Joint Strike Fighter missile plans, like understanding, you know, what type of boxes are produced by a Box Company, and what special intelligence materials go in those and where are they at warehouses, and what transport train are they on? So if you could think about the implications on the battlefield to the warfighter, is that if you know where the things are at, or if you know the capability of your adversary, you can essentially run them out or destroy their capabilities, to degrade their ability to wage war right at the end of the day. So any erosion of our industrial secrets, especially let's take the Joint Strike Fighter, the J 35 strike fighter that was stolen by China. For instance. This is how we came about with CMC. Is that the theft of that really led to us formulating laws in this country, and now the organizations that are small businesses have to conform to these new regulatory laws?

06:44

Yeah, that's why I didn't answer that question. I

06:46

was just going to say, yeah, good call on your part, Chris, so let's talk about continuous standards, and with that incident, explain to us it's a dynamic world out there. It just is. How do we, how do we even begin doing that? If I, if I want to be connected, which I do in which a lot of people are talking about it in here, just that connected capability, how do we start ensuring that it's secure? Yeah,

07:15

I mean, I think the first thing you have to start with the infrastructure, right? Everything has to sit on something that's secured at the infrastructure level. So, you know that's that's really the core for everything. You know you can build on top of it. You have all sorts of ways to build your applications. Those applications go on the different devices, which in some cases are tanks, planes, depending on what's going there. But it's really about what's your policy, right? Because everybody has a different policy when they're thinking about who has the ability to make this change, who made this change last? Were they approved? Were they not approved? Some of the things that a lot of people don't consider is okay, I'm in compliance at this moment in time. But what happens tomorrow when somebody makes a change? Can I change that back to where it needs to be? So I'm still in compliance. What changes are going out there with other nation states? What other What are jurisdictions? What frameworks are out there? That's why it's really important for to identify what your infrastructure is going to look like, but then also what's the framework it's going to follow? One of the examples that we're running into with CMMC is they want to follow NIST 801 71 172 and that is, that is a compliance standard that helps people understand what their baselines are in their infrastructure, and then puts controls in place. And those controls could have something to do with their system hardening based upon looking at their laptop, your laptop right here in front of me, you want to make sure that nobody has any critical vulnerabilities that have been issued to it or that have come to it. If you want to be connected, you're going to open all sorts of vulnerabilities into your environment, into your workspace.

08:57

How do you keep and I throw it out to you guys can look at each other on which one we should answer this, and I've learned my lesson. How do you, how do you take something like that and where it changes and could change? Let's just use the let's say it changes on a daily basis. How do you how do you ensure that you are in compliance? I mean, I don't know how you Is there something that says green is good? Yellow? It could be as simple

09:29

as that. So, so here's the problem that we've got, is that inside of our environments, like you said, they're very dynamic environments, and unfortunately, everybody in the environment has a different need. So think of it as work roles in your environment. In your environment. So the management team is going to have different needs than the IT team is going to have different needs than the people on the manufacturing floors, the accounting department, they all have a different set of software and things they all need in their system. So one size just doesn't fit all number one. So I don't think it's realistic to say I have a one size fits all. Thing out there. Secondly, what businesses are really bad at is documenting what they're what we call their baselines. That means that you know all the things on your environment and all the switches you flipped in order to be able to make those things, the things right out there. And like I said, now we have this dynamic environment where changes are continuously happening. So by the time the RIT departments essentially deploy the utilities and tools out into the field, they all have changed very often. That's the reason why it was very important to partner with like Perforce and utilize their platform puppet. Because what it allows us to do is it allows us to identify and really footprint the entire environment as an abstraction of code and not code like in the scary programming, code like you see on television, right, on a declarative way of saying, I want this thing in this state, and it just figures that out for you, right? So there's not a lot of vertical learning that gets that needs to be done here, and if done right, you could literally, on a daily basis, or even an hourly basis, go into that code and say, the accounting department needs this exception, it rolls out to everybody. And then not with that. But can we check the computers every hour, every five hours, every day, for instance, to ensure that they're compliant, and then deliver that information back to the stakeholder who's responsible for that security? And then green is good, like you said, and then we can detect changes the environment. Hey, if there's an unsanctioned change to our environment, maybe we should check that out. Maybe that's, that's something that we should be not doing, right?

11:28

Does that make sense? Yeah, it

11:30

does. But, but for me, was just always laid out there, being who I am, that's still, I mean, that's an ongoing it's so dynamic. Yeah, it's so big. It's so massive, it can be and yet, do you think, do you think that the speed to be connected, to be, you know, whatever this brave new world looks like, and you know, the speed at which we're able to do that, and then you have that the security side moves at a different pace. Do you think that there's just going to be this disconnect between, Yay, I'm all connected. It's all great. Oh, look at these. I don't want to talk to these guys. Yeah, we

12:21

call it running fast with scissors, right? That's right. There you go. You have to have some sort of guardrails behind who's making the changes. Yes. And, you know, honestly, that's one of the things that our organization focuses on, because we don't want to hand cap or handcuff people with their technology, right? Your technology is always supposed to be moving innovating. What we're doing is we're helping you allow or innovation, but at the same time, we're giving you those guardrails so that your security team isn't going to come ahead and push a button and say you're not allowed to do that. We want to make sure that you have that capability so that security has already proved that policy, so that it's almost like a self service, self healing type of infrastructure.

13:06

Or even imagine this. Imagine you're a person who wants to make a change in your system, and you make that change, but also it changes back, because we want to enforce those baselines. We don't want people making unsanctioned changes in our environment, because that introduces risk. So somebody who is in charge of risk for the organization really needs to be the decision maker, or a group of people collectively. Typically, we call that a change control board. Right? A board of people will get together who are the stakeholders of the organization and determine we want to introduce this new thing. Have we thought about it? What does it introduce? And yes and no. How can we do it? But going back to your original point on like, Can we do this from the top to the bottom. How does policy converge with the technology? Right? It can be as simple as putting in a ticket or people make the change in a file, quite literally, hit hit Deploy button. It deploys everything instantly. Everybody's happy. It doesn't need to be a very long, painful process. So the technology changes should be the least evasive thing out there. Mostly it should be focused around the policy so that the organization can have a natural cadence by which they meet, identify issues, work them through together, and then collectively implement them with a click of a button. Nobody wants

14:14

to talk about cybersecurity. We talked about that, and I'm an executive, and I just want to talk about what I like to talk about, and that's whatever making money and production, and where do we stand? We're

14:26

quantifying and offsetting your risks that could harm you for doing those.

14:29

But then to that point, that has to be a part of that whole thought process, right? Yeah,

14:35

no. Executive wants to be in jail.

14:38

I mean, not that I've met, but I was just going to say not unless you're running,

14:43

unless you're running for president, potentially you might want to go jail. It's good for publicity.

14:49

So with that said again, there is how do you how do you create a culture environment that is constant? Lee, making sure that from the top down, and a level of confidence that I don't have to be, you know, obsessed with it, but it just happens in a way that is that makes sense continuously. Yeah,

15:16

and the culture is the key word, right? The culture comes from the strategic direction of the leadership, and the leadership is looking at ways that they can reduce costs, reduce risk, make money, and to do this, they have to make sure they have a team of people that are all working together so they want to share that information across the organization, because nothing's going to handcuff you more than having silos of people trying to do the same thing over and over again. One of the things that I'm seeing a lot now is people are trying to focus on what all right automation is key, right to development and reducing costs. But what do you use to automate? What do you automate a task that's very simple that you do every single day, or do you automate something that's a very difficult task to do, that's a very high priority? And I think it's that type of policy that your organization looks at the benefits plus the the negatives behind it. It's like, how are you going to go ahead and implement that into your culture? Because there's so many people out there that look at culture and they just define a couple buzzwords, but culture is how your organization acts on the cultural core, core responsibilities, core positives.

16:33

Tim, I'm an existing business. I've been in business for 20 years. Let's say I did, and that's the use case 20 visitors. And so I've been in business for 20 years. I've been pretty successful. I've manufactured what I need to manufacture, whatever it is. But now all of a sudden, I I'm being, I'm being I'm faced with this, right? How do you even begin? What's like the step like step one, talk to Scott. Step two, help us through that absolutely. So

17:08

I'm going to go back to what Chris was talking about as the organizational owner. The buck stops at the end, right at the end of the day. So also knowing where your limitations lie, and say, Okay, I'm not the expert in this domain out here. Therefore, I'm not going to try to tackle this on my own. So number one, go get educated. Right? You know, this, this process that we're doing here, this is an educational process to help people to start. You know, where do I start on my journey education? Go out and read the regulation, find out who's in charge of dispensing these things. In this case, it's the cyber accreditation board. If you go to their marketplace, this ever accreditation board will lead you to all the professionals that are certified, vetted, validated, in order to be able to start to answer this problem, right? So either that or assign somebody in your organization the role of doing those things and putting that ball in motion for you, I've seen organizations even at small scale, either hire on a consultant temporarily to provide them with a gap analysis of the organization. What are all my problems? What do I need to do, and what's my you know, you know, direction I need to go to go solve those things. That's a technique. You could hire somebody into your organization who has those skills, and going to the accreditation Board's website and looking for somebody who's certified and actually has professionalism in implementing and sorting out these issues, is the other way to go around this and then finding technology partners. This is the one thing that we find in dealing specifically with manufacturing, is there's no one silver bullet. It all depends on what, number one, identify the business cases. Number two, drive the technologies, based on the generation of what those policies and procedures or what your corporate governance is going to look like. So look like. So it shouldn't be technology driving corporate governance. It should be corporate governance establishing the rules of what you can and can't do in your own organization. That informs the policy. That informs, you know, can

18:52

I? Can I incrementally approach it? I know that there's a you know, you want to be, you want to manage those risks in a way that makes sense, okay, but, but that, that elephant is huge, absolutely, start,

19:06

start with the basics. So let's, let's establish your corporate governance program, number one, right? So that's developing a series of policies and procedures of your organization that revolve around the framework of CMMC, or that NIST eight, number 171,

19:20

right? Or just a Stig is here in the government. It

19:23

could be CIS baselines, right? There's a variety of frameworks out there, and this is the one thing I like about the government, is they don't give you a blueprint that says step one through 12, right? They give you a a lot allowed in, right? They basically tell you must have thing, and then you have to insert thing here. But the problem is, is that, like you said, you're a business owner of 20 years, you're an expert manufacturing, not this thing that we're talking about. Yeah, it sounds like gibberish, right, right? So again, you know consultancies are definitely the way to go. Inform, get getting informed is the way to go. But also, we have a lot of disinformation floating around out there as well. So get your. Information from what I would call authoritative site, sites and stuff. So the government, who's making the role is an authoritative site, go get your information there first. Because anybody can put a commercial. I

20:09

want a Sherpa. I want somebody to help me along with this thing, just because it's, well, give us a call. Yeah. See there it is. Now, with that said, let's talk about how to get a hold of you guys, Tim, how do they get a hold of you?

20:22

Well, you can actually look me up in LinkedIn out there. It's Timothy Schilbach, or you can reach out to me at tshilbach@penacity.us

20:31

Chris, yeah, and it's Chris Ganacoplos, G, A, N, A, C, O, P, l, O, S, yeah, and just reach out to me on LinkedIn. So thank you so much for this. Scott, Yeah,

20:42

my pleasure. They actually talk cyber security. I like that stuff. Somebody did it. All right, you guys are absolutely wonderful. Thank you very much for being on Industrial Talk. All right, we're going to have all the contact information for these two gents out on Industrial Talk. We're going to have their stack card right there so you reach out to them on LinkedIn. They are an open book. And yes, you do. You need a Sherpa. You need somebody to help you. Along with this cyber it's happening, just whether you like it or not. You can stick your head in the sand, but it's happening, and you got to find those right people. I'm not going to read I'm just going to find somebody, quite frankly, all right, stay tuned. We will be right back.

21:21

You're listening to the Industrial Talk Podcast Network.

21:31

Chris and Tim are the gents cybersecurity was in the conversation, and I know we talk a lot about being connected, pulling that data, getting that information into your operations, making that business more resilient, it's all good, but we can't forget about cybersecurity and being able to do that, and keeping current with that, that's important stuff. So my recommendation, yours truly, you need to connect with individuals like Chris, like Tim, find out more. Make it happen. Industrial Talk is here for you. You have a podcast. You want a podcast. You want to highlight your solutions and technology. Put it out on Industrial Talk. It is a platform that is dedicated to education, and you want to collaborate with these individuals. It's there too. And you want to innovate, you find out the latest, greatest innovation that is taking place in impacting industry as a whole. Be bold. Be brave. Dare greatly. Hang out with Tim and Chris. Change the world. We're going to have another great conversation shortly. So stay tuned. You.