Hi everyone, Ed Amoroso here. And this is kind of part two of our discussion of critical infrastructure in the context of cybersecurity. Now, you'll recall, in our last video, we said that critical infrastructure kind of corresponds to this property that, if removed, it makes it impossible for a mission, the attendant mission, to be supported. If that sector, component, transportation, water, energy, defense, if those things are missing, then it's hard for society to achieve its mission, fair enough? So the question is, how do we stop these types of things from cyber attacks? Now, for many years, the presumption was, eh, critical infrastructure, your PC, what's the difference? If I asked you, how do you protect your PC at home, you'd probably go, well, passwords, some system administration. I do some scanning, I run a little firewall on it, a little encryption of some stuff, that's it. Say firewalls, encryption, password, scanning. And then I say hey, big critical infrastructure. The transportation systems and control systems in your country, how do you protect that? Sadly, too often the answer is then you know, passwords, firewalls, we scan it, do a little encryption, you do some system administration. It's the same stuff [LAUGH] now look your PC compared to a massive critical infrastructure component is that is different as a tricycle and a big jumbo jet. These are totally different. These are fundamentally different components. They're both means of transportation, they both have wheels, they both take human beings from here to there, but that's kind of where the similarity ends. And so it turns out that there's some techniques for protecting critical infrastructure that transcend in a normal everyday cybersecurity. I want to mention one example and then kind of dig in to a second. So one example is called situational awareness. And that's where you're hyper aware at all times of the threat level and threat condition, and amount of potential vulnerabilities, exploitable holes and other things that might exist in an infrastructure. You're keeping track of that, situationally aware at all times. Does that have any meaning on your PC? Really not, like you don't have to be kind of a weird person to be constantly hovering around your PC being situationally aware having it all wired, the telemetry pouring out, you're constantly monitoring the safety and security of your PC. Very unlikely that you're going to do that on an individual basis. But if you're dealing with the transportation sector, or you're dealing with the military or power, then you are absolutely doing that. And I think it's a good kind of first view of how different protection methods might be for something small, something large. Small things can be manual, large things can't be manual, you have to have some way of scaling. Small things can be in some sense, they don't have the need to scale. You don't need to be able to measure how quickly something can be deployed when you scan your PC at home. If it takes an hour or two [NOISE] no problem. You want to deal with scale when you've got thousands or tens of thousands or even millions of components, suddenly scale matters. Like if you want to run scans on all of these things and they each take two hours you may have a problem, so you have to attend to fundamentally different set of concerns. So this idea of situational awareness is one that I think is pretty useful. But a more interesting one frankly, that illustrates the difference, is something known as diversity. Now diversity means intentionally introducing difference in an ecosystem. So for example, I'll give you a contrary example. There's some companies, like here in the US there's an airline called Southwest Airlines. I can show you a picture here of all the airplanes lined up at an airport. Southwest, in order to keep their costs low, in order to keep sort of the training and the operations kind of uniform through the whole fleet, they fly one kind of airplane, 737. Good idea, these are all wonderful jets. And it allows the training and the operation to be the same. They're all the same. They don't have ten different kinds of airplanes. But suppose the Aviation Administration of the United States decided to ground that jet. Well, that would cause a big problem because they don't have great diversity. Now again, this is not cyber issue, I'm just trying to illustrate the strengths and weaknesses of diversity. In contrast if you look at it sort of as a bio-diverse ecosystem in a beautiful picture here of an ecosystem. Where you've got lots of different foliage and plant life and animal life and other types of things, bacteria, and soil and everything is different and they all work together in a very symbiotic and diverse manner. It be different to take something like this out with say one crop disease by taking one segment of the very diverse population out, but it wouldn't take everything out. So the idea say for your PC to have diversity doesn't make sense, because you're going to pick an operating system, you're going to pick applications, you're going to just be what it is. But in a large ecosystem around some critical infrastructure component, you might decide specifically to introduce diversity into that populous. Meaning lots of different operating systems, lots of different applications, diverse network technologies, diverse geographic regions, and on and on and on. The reason being, that if somebody attacks one component of that infrastructure sector, it will not easily cascade across to other sectors. This idea of cascading is a weakness in a non-diverse ecosystem. When you have everything the same, a bazillion Windows computers are vulnerable if they're all connected together. If somebody's got a killer virus for Windows, it's going to cascade. But if I introduced five other operating systems and sprinkle them around suddenly my Windows virus that comes in will only cascade to other vulnerable systems. When it hits a diverse interface, hits something that's not willing to accept that virus, it stops. You can see how that's a good way to stop cascading. No meaning in the context of a small system. Fundamental consideration in the context of critical infrastructure. And the reason I think it's such an interesting one is that IT and system managers generally hate it. [LAUGH] And so the problem we have, in cybers is once in a while we hit on something that cybersecurity experts want, but IT folks don't like too much. And diversity is the poster child for that. A contraexample would be virtualization, where data center managers and CIOs and IT managers love virtualization. It reduces, costs, improves flexibility and security people should love it as well because it allows us to microsegment and to shrink wrap perimeters without hardware and on and on and on. So it's not always the case that we're at odds, but for critical infrastructure I think you want to keep in mind that there's going to be a fundamentally different set of protection measures that we use than for small. And occasionally, we may find that they're somewhat at odds with our IT partners. Now I got a little quiz here, and the answer's all of the above. Those are all true statements with respect to critical infrastructure. So I hope this has been a helpful introduction to something that I really do think anyone who considers themself a cybersecurity expert has to have some facility with. And if you are a decision-maker, particularly in government, then I hope this has helped clarify some aspects of cybersecurity in a larger context. I'll see you in the next video.