“What Jack Voltaic does, it takes a bottoms up approach to this critical infrastructure resilience by looking at the city level. So we’re not focused on region or multi-state, but the action is happening down at the city level where you’ve got the critical infrastructure in the populations at the highest concentrations.”

“JV 1.0 was conducted in New York City and focused on a physical attack coupled with an attack on the financial industry as well as the subway.  And what that showed was …. Within each of the critical infrastructure sectors, there are communication pipelines where people report on incident, but there was not a lot of crosstalk between those different critical infrastructure sectors.”

That’s Lieutenant Colonel Douglas Fletcher and Lieutenant Colonel Erica Mitchell of the Army Cyber Institute, the think tank of the U.S. Army. They talked with Hack the Plant this month about a cyber incident response conducted by the Army called Jack Voltaic – or JV. This research series tested cybersecurity preparedness of ICS (or “Industrial Control systems”) at the local level around the country. It is called Jack Voltaic.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

Transcript:

Bryson Bort:

….Welcome Doug and Erica. First up, Erica what is your role? What do you do?

Erica Mitchell: 

So my role is as the critical infrastructure key resources research group lead at the Army Cyber Institute, it’s a lot of words. What it basically means is my research group looks at issues within critical infrastructure; so industrial control systems. We’re looking at all 16 critical infrastructure sectors and how cyber attacks in those sectors can influence military operations such as force projection.

Bryson Bort:

And Doug, you work with Erica on this. What do you do?

Doug Fletcher: 

Bryson, yeah, I do. I am actually the chief data scientist here at the Army Cyber Institute. And prior to this, I was also working as the project lead for Jack Voltaic 3.0, which was our Jack Voltaic experiment that we ran in the cities of Charleston and Savannah that looked at the impacts of cyber attacks against commercial critical infrastructure on army force projection.

Bryson Bort: 

So what is the Army Cyber Institute?

Erica Mitchell: 

So the Army Cyber Institute is basically a think tank for the army where we look at various cyber perspectives. And our goal is to look at least three to five years out, as opposed to looking at current problems right now. So like for example, with our force projection, right now we haven’t had a cyber attack interfere with any type of army force projection, but we’re exploring how it could and how we can mitigate that before it ever happens.

Bryson Bort: 

And Doug, just to keep it fun, what do you think the Army Cyber Institute is?

Doug Fletcher: 

Well, as Erica said, the Army Cyber Institute, we’re that think tank. If you look across the spectrum of the army cyber community, you’ve got the operational arm, which is the army cyber command. You’ve got the educational training, which is the Cyber Center of Excellence down at Fort Gordon. And then the Army Cyber Institute represents that innovation part where we’re trying to look five, 10 years out. What’s going to be the next big thing in cyber that the army needs to think about and how can we better inform commanders and leaders throughout the army about the types of response and how we’re going to handle it.

Erica Mitchell: 

We’re trying to avoid strategic surprise.

Bryson Bort:

So Erica, how do you define industrial control systems or critical infrastructure? You mentioned the 16 different SSAs being in scope.

Erica Mitchell: 

Okay. So critical infrastructure, the Department of Homeland Security defined it as 16 sectors. I hope you don’t want me to go down the list off of memory because I can’t. But basically what we’re looking at are those backbone pieces that keep our country running. So for example utilities, that’s the energy sector. And within the energy sector, you have gas and electric, which are not always necessarily provided by the same people. So you have those types of things, and what we look at industrial control systems, and again without going too far into the weeds, those are the actual physical pieces of hardware that run this backbone. So for example, if you’re looking at the energy sector and you’re looking at an electrical grid, there are very specific pieces of hardware in place to run that and they’re designed to run for 30 years without being replaced.

Erica Mitchell: 

Well, as time has progressed and things have gotten more technologically connected, we thought, hey, wouldn’t it be a really great idea to put these things on the network so we could reduce sending people out to fix things and we can monitor and repair from a distance. Well, what happens to everything you connect to the internet? Other people want to connect to that thing. So those industrial control systems that basically provide your sensors for how your infrastructure is working and also gives it signals for example, open a relay, close a relay. Now that’s connected to the internet and so you have bad actors who are attempting to connect to that. And sometimes it’s just curiosity. People want to see how things work and they’re not necessarily bad actors and other times you have people who want to throw a monkey wrench in the system and want to have control for whatever reason.

Erica Mitchell: 

One good example is like a programmable logic controller, a PLC. It’s designed to be ruggedized in there for a very long time. And if you interfere with it, it can prevent electricity from flowing where it needs to, and then you have a problem within your grid that you either have to send a human out to fix, or you may end up having to also replace that equipment. And it’s so specialized that you don’t have your average IT person that’s really familiar with how these industrial control systems work. It’s more the realm of an electrical engineer than an IT worker. Does that answer your question?

Bryson Bort:

Absolutely does. And Doug, I’d like to put you on the spot for the same question.

Doug Fletcher:

Yeah. What Erica said is exactly right. I mean, you look at these sensors that we have out there, these industrial control sensors, and they are what help this critical or what make this critical infrastructure run. Now, where our work focuses is if something happens to one of these industrial control systems in the energy sector, what are the different interdependencies that exist with the other sectors? How does that carry over to that? You could look at, is this the same type of sensor that they may use over with water or with some other? So if there’s something wrong with the firmware there, are they going to have problems with that too? It’s really trying to capture how any kind of attacks against the critical infrastructure and the industrial control systems can perpetuate throughout the different sectors and then eventually and potentially cascade and create some very significant physical effects as a result of a cyber intrusion.

Bryson Bort: 

So what kinds of industrial control systems are there in the army?

Erica Mitchell: 

That is a very good question, Bryson. So we have a lot of the same industrial control systems that the civilian sector does. However, we’re a little bit different inside the fence. So we do have programmable logic controllers. For example, on certain installations, we have our own water treatment plants to include like here at West Point. We have our very own wastewater treatment plant and therefore we have programmable logic controllers in there. We do run our own mini grids within the military. What we don’t have are some of the bigger hardware that you would see at a regional power distribution center or something like that, where the army has very similar things on a much smaller scale, I guess, is the easiest way of putting it.

Bryson Bort: 

I think it’s also interesting. We will get into this a little bit later about public private partnership, but while the army does have dedicated industrial control systems to run core functions on a post, they also in a lot of cases depend on the local community and those utilities to provide different services as well.

Erica Mitchell: 

Absolutely.

Doug Fletcher:

Yes, Bryson, that’s correct. I mean, Erica mentioned about how West Point has their own wastewater treatment plant that’s located here. We’ve also seen where other installations have their own little part of the power energy grid that represents those, but there’s still that connection to the community that exists through the critical infrastructure that we have on our installations. And it can be slightly different for each of the installations that are out there.

Bryson Bort: 

And that’s a great segue into, what is Jack Voltaic?

Erica Mitchell: 

So Jack Voltaic is a research series that has started to look at the interdependencies between civilian critical infrastructure and the DOD. And so the first iteration was born from a Cyber Mutual Assistance Workshop. So the energy sector for many, many years has had the concept of mutual assistance. If there’s a big storm in one part of the country, you’ll see teams being dispatched from all over the country to get those lines back in place and restore service in the effected areas. So a CW3 Judy Esquibel had the idea that what if we could do the same thing with cyber, and that was back in 2016. And so she put together a Cyber Mutual Assistance Workshop that brought in some leading industry players and worked on developing these public private partnerships and really bringing everybody to the table to say, what would it look like if we had to respond to cyber? How would our interdependencies affect that cyber response? How could we possibly assist each other?

Erica Mitchell: 

And so after they had the first Cyber Mutual Assistance Workshop, they decided to try an exercise. So JV 1.0 was conducted in New York City and focused on a physical attack coupled with an attack on the financial industry as well as the subway. And what that showed was one, there are a lot of silos of excellence as we like to call them. Within each of the critical infrastructure sectors, there are communication pipelines where people report on incident, but there was not a lot of crosstalk between those different critical infrastructure sectors. And so after going through that, it actually led to the development of the New York City Cyber Command in order to have some type of unified cyber response and be able to minimize the amount of information that stayed within these silos. And we maintained a relationship with New York City and continue to do workshops with them even to the present day.

Erica Mitchell: 

And after that, we looked at JV 2.0. We decided to take it a little bit further and do something a little bit bigger and looked at a hurricane coupled with an opportunistic cyber attack. And with that hurricane scenario, one thing we noticed was we kind of took the ports out of play. We wanted to know what would happen at our surface distribution and deployment command, which is an army… our TRANSCOM battalion that focuses on the movement of army equipment. They participated, but because the hurricane closed down the port, it kind of took a lot of the cyber off of the table for them.

Erica Mitchell: 

And so we had a lot of good findings come out of Houston. Some of the similar findings from New York City that we still have a lot of these silos of excellence by moving to another large city, they’re very, very responsive to the physical, their reaction to the hurricane is on point, they know how to react to that. They’ve hosted several large events. They know how to react to any type of physical issue. But when it comes to cyber one, it’s hard to know that it’s cyber at first. The first instinct is, hey, I have a glitch in my system, let me restart it. Or hey, I’m experiencing problems, I wonder if anybody else is, let me just wait and see what’s going on. And so that is still an issue.

Erica Mitchell: 

And then we rolled into JV 3.0 where we wanted the ports back in play. And from there, I’m going to kick it to Doug because he really was the driving effort behind us doing a more regional scenario with two ports. So Doug take it away on JV 3.0.

Doug Fletcher:

Okay. Thanks Erica. And before I get into details of JV 3.0, I want to highlight something that makes the Jack Voltaic research, project unique. There’s a lot of different type of cyber exercises going on out there, but really what Jack Voltaic does, it takes a bottoms up approach to this critical infrastructure resilience by looking at the city level. So we’re not focused on region or multi-state, but the action is happening down at the city level where you’ve got the critical infrastructure in the populations at the highest concentrations. Furthermore, Jack Voltaic builds around the objectives and the goals of its participants. What we want to do is we want to explore what the different participants want to explore, because as Erica mentioned with Jack Voltaic 3.0, we wanted to bring the ports in play and look at how it impacts force projection. And we can do that by addressing some of the concerns or the objectives of the participants.

Doug Fletcher:

And then finally with Jack Voltaic, what makes it really unique is we’re not just looking at the ports, but we’re trying to pull in as many different critical infrastructure sectors as possible to see how the different interdependencies would affect one another. Because we understand that okay, you can do a direct attack or something against the ports that’s going to stop things. But what about the relationship between the port and the road network and the rail network and the energy sector? Is there going to be a small something that happens in the energy sector that could potentially cascade and impact the port? Jack Voltaic wants to look at those different interdependencies between the critical infrastructure sectors, and that’s really what makes it a unique event compared to some of the other great cybersecurity exercises that are going on out today.

Bryson Bort: 

Peeling it back a little bit more, can you explain what force projection means and why that precipitates a focus on ports?

Doug Fletcher:

Yeah, sure. So when we talk in force projection, really for the army, we’re talking about moving people and equipment from the continental US to overseas somewhere where they have a mission and they’ve got to do operations. And so for us to do that, we have different assets available to us, whether it’s through air or sea. And the reason why the ports are in place is because we use sea vessels and sea lift as one of the primary means to get the equipment from the US to overseas. So that’s why it’s important to have the ports there because when you look at… We talked earlier about public private partnerships. This force projection mission really is kind of a public private partnership in that we’re working… the Surface Deployment Distribution Command that Erica mentioned before is working with the port to get vessels loaded to get them ready and get them sent on their way so that they can have the equipment and time there to meet the commander’s mission or give the commander the capabilities he needs to meet his mission overseas.

Bryson Bort: 

So how were the two of you paired together for this?

Erica Mitchell: 

So that’s an interesting story. When I first came into the Army Cyber Institute, I had finished all of my PhD work, all the in-person work, basically. So all of my coursework and I was ABD, and so was Doug. So we both came in and we both had to finish. So when I came in, I hit the ground running on Jack Voltaic 2.0. I actually started before I even arrived at West Point. And then I also did a Jack Voltaic 2.5 Workshop Series. And that was in seven different port cities around the US. And so I didn’t have any time to work on my dissertation at all while I was also doing the Jack Voltaic lead. And so Doug finished his dissertation and it was masterful. He is a statistical genius.

Erica Mitchell: 

So he stepped in and took over leading the next iteration of Jack Voltaic so I could finish my dissertation, which I did and graduated in May of this year. So then I was able to come back and he’s able to follow his first love and move back into the data science statistical analysis side of the house. And I can do the strategy policy, the squishy cyber portion of Jack Voltaic that I love.

Doug Fletcher:

And I think the pairing too also though is to blend that squishy with the stats and really to try to capture a lot of data from this event and then use that data and provide different avenues of analysis, whether we’re looking at the different things that were said and extracting how they pertain to recommendations for policy or whatnot, or doing some natural language processing on that, building networks from there and moving forward there, or taking events that we’ve talked about in the Jack Voltaic 3.0 scenario and translating them to different simulations that provide a different pic or a different picture of what the participants experienced during that event. It was a great pairing, one that I think has been very effective for the Jack Voltaic series and I know especially for Jack Voltaic 3.0.

Bryson Bort: 

You mentioned earlier the bottoms up approach to Jack Voltaic being one of the defining characteristics that makes it different. How do you choose the cities or the regions that are participating in this? How do you bring different government agencies and different elements of the private sector together?

Doug Fletcher:

So the selection of the cities in the case of JV 3.0 was based off of the army’s defender 2020 force projection exercise that they were moving men, women, and equipment from stateside to Germany to conduct an exercise in May. Looking through how that was going to flow, we identified that Charleston and Savannah were two of the key ports that were going to be moving equipment there. For Jack Voltaic 3.0 that’s how we decided on that. We also realized that, hey, there’s a regional relationship there that we can potentially explore which if something happens at one port, what’s going to happen at the other port? Are there any connections, any interdependencies that may exist there? So that was the thought process we went through when selecting for Jack Voltaic 3.0.

Doug Fletcher:

As to how to get people to come to the table, that’s basically getting on the ground and working the contacts. Unlike an army unit where we can request our headquarters to task someone to participate and they’re forced to participate, when it comes to Jack Voltaic we could walk in and say, “Hey, we’re the government we’re here to help,” but we’ve really got to go in and build the relationships with the communities, describe to them what we’re trying to do, relay to them how it can help them, talk to them about what they’re experiencing, what they want to get out of it. And then from there, you start expanding out and pulling more and more people get it.

Doug Fletcher:

And what we found is, when we go into these communities, they’re generally excited to do this. They want to do these cyber incident response exercises because that’s something… They’re great when it comes to physical responses. Whether it’s a hurricane, they’ve got that down. But when it’s a cyber incident, there’s still a little uncertainty about how are we going to do that. And so once we get in there and we start making some contacts, they tend to reach out and bring in more people that would be interested in participating. And so we’re able to build that coalition of the willing to put together this event.

Erica Mitchell: 

So to piggyback on that, JV 1.0 was more proximity than anything else. It was a proof of concept type thing. Is this something worth doing, something worth exploring? Are we going to get good information out of it? So with New York City only being an hour up the road, it was a lot easier to put something together. And then from there, we’ve had volunteers. We always have more volunteers than we have resources to conduct Jack Voltaics. But for Houston we had volunteers who said, “Look, we’ll do a lot of the leg work. We have a lot of the existing relationships and we just want you to pick us.” And so the folks down there in Houston really, really came together and did a lot of the trust-building and coalition building for us.

Erica Mitchell: 

JV 3.0, because it was tied to an army exercise was unique in that we had to do a lot more of the relationship building and trust building ourselves. And so that JV 2.5 Workshop Series that I mentioned, which basically shared the findings from the previous iterations of Jack Voltaic and then also did like a mini exercise. We conducted those in Charleston and Savannah in order to gauge how they would feel about having a JV there. The other option would have been Beaumont, Texas, but they had already participated in the one in Houston. So we weren’t quite ready to revisit the same place we had already been and we’re trying to still explore new places. And so even now we have plenty of volunteers but we’re limited in the resources we have to plan and conduct these exercises because it takes 18 to 24 months, especially with us coming from the outside, doing the relationship building and trust building with these cities.

Bryson Bort:

What have you learned from the multi-year effort with Jack Voltaic?

Erica Mitchell: 

So one of the big lessons is we still have a lot of the same issues with these silos. I would say first and foremost, prioritizing cybersecurity still isn’t happening. I mean, we have all of these attacks that are happening on a frequent basis. And when it comes down to it, resources are the hardest part. People don’t have the time, the personnel, and the funding to really be able to beef up their cyber security in the way that they should. And so we see that time and again. And then we also see the identification of a cyber problem tends to take longer than it should.

Erica Mitchell: 

Within our scenarios, it’s kind of artificially built in. In the future, we’re trying to move to where people have more of an opportunity to identify that there’s a cyber issue. But as we conduct these tabletop exercises, we ask people what they think it might be. And it’s rare that we get people thinking it’s something cyber on their own. Obviously because it’s a cyber exercise, they figure at some point it’s got to be cyber, but they’re not sure. And then that leads into another repeated finding and that’s who has the authority to declare a cyber incident, and what does declaring a cyber incident even look like? Because there are resources you can bring to bear once you declare an incident, but knowing how to declare it and what the channels are for notifying that there’s a cyber incident and requesting resources, those mechanisms just aren’t really solidly in place right now at the municipal level.

Erica Mitchell: 

Whereas on the other side, I participated in a national tabletop exercise that had representatives from government agencies. And at the national level, they like to reiterate that they have these plans and if something were to go wrong, they’re fully ready to deal with them. But the disconnect is, the local level is the front line. That’s where the problem is going to happen. The national level is where the resources are, and they’re the ones who can probably solve the problem. But there’s no solid connection between that local municipality and the federal level in order to make these things happen. And that’s what we’re looking to try to improve, getting people to understand how to make that connection.

Doug Fletcher:

Yeah. And I want to add to that and say, what we see is at that municipal level where things occur that you don’t have that catastrophic, hey, the power grid is shut down. You don’t have some catastrophic effect that requires the immediate allocation of federal assets to the problem and fix it. Instead, it’s kind of small things. The traffic lights aren’t working right. Basically our HR systems are infected. And so we can see that, we can start working on that, but these smaller incidents that might go under the radar, what we try to look at with these is how do they cascade to where we can get to a threshold where someone can say, “This is a cyber incident, and I need help.”

Doug Fletcher:

I think, as Erica mentioned, we’ve tried to help bridge that gap between the perception at the higher echelons and the perception at the city level. That’s one of the great things about our unique approach to this is that we’re able to provide that change of perspective in cyber incident response and allow more input to go back and give the feedback to what our current plans are.

Doug Fletcher:

I would also like to kind of highlight here. One of the things that JV does is it brings the operators and the leaders to the table at the same time to where they can talk and they can see how each other’s operate, where an IT or cybersecurity professional would see something and then how they communicate it to the leader and what the leader’s response is.

Doug Fletcher:

With that, Erica kind of hinted on it is that there’s still not understanding of cybersecurity as a platform issue. It’s something that at, especially at the local level, would you rather have a robust cybersecurity program or fix potholes. And so helping people or communicating that cybersecurity has to be part of that platform that all leaders need to understand at every level. And we see evidence of that throughout the past couple of years where small towns in Texas are getting ransomware, City of Baltimore, City of Atlanta. It’s not a problem that you can overlook. And so emphasizing that for leaders to start emphasizing that that’s part of their way of helping protect their communities and helping to provide for their welfare of their citizens, I think is one of those things that we’re also trying to achieve with the Jack Voltaic series.

Bryson Bort:

If you had your druthers, where would you want to take it?

Erica Mitchell: 

So for me personally, the next one I’d like to see would probably be another regional one. And I’d like to see it tied to either a global defender that basically is looking at moving equipment from the US to Europe, or there’s also the INDOPACOM region, the Pacific Command region, which would allow us to conduct it in Hawaii. So that would be another nice opportunity, but it would also be regional looking at that connection between the West Coast of the US and Hawaii and the rest of the PACOM region.

Doug Fletcher:

Yeah. And I’d like to add on to that too. I think there’s a lot of opportunity here to help improve the public private partnership between an installation and the surrounding community. And I think what we saw with Jack Voltaic 3.0, where we had 3rd ID along with Savannah and Hinesville, Georgia in there is there’s opportunity for these types of events to help an installation better understand how its critical infrastructure relates to the community, but also to help improve the relationships between the community and the military as well.

Bryson Bort: 

All right. So this is how we close out each of these shows. So Erica, we’re going to give you two questions first. Actually, you know what, do you want to mix it up and make Doug go first?

Erica Mitchell: 

Yes.

Bryson Bort:

Yes, let’s do that. Then you get the time to think while he has to answer the questions. All right, Doug, for all the money on the table, if you could wave a magic non-internet connected wand, what is one thing that you would change period, anywhere bigger than Jack Voltaic? If you could wave your wand to change critical infrastructure, what would that be?

Doug Fletcher:

I really think the one thing I would want to change or improve on is how information is shared across critical infrastructures. And how we get that information out there? Because as we saw with events throughout the Jack Voltaic series, whether it’s 2.0 or 3.0, something that looks like an anomaly in one sector could be critical information for another sector to know. And it’s just, how do you get that sharing to occur, not just across critical infrastructure sectors but also from city up to federal. In the cyber domain, you’ve got to have that clear situational understanding from left and right and top to bottom. And I think if I could wave a magic wand, that’s what I would look for.

Bryson Bort:

Well, now you’ve waved your magic wand. It’s very pretty. Now looking into the crystal ball for a five-year prediction, what is one good thing and one bad thing that you think is going to happen?

Doug Fletcher:

I think the good thing that I see happening is the communities are understanding more and more about what cyber can do, and there is a desire to do something about it. And so I think that movement, especially at the city and county level, they understand that it could be a challenge and they’re looking for ways to improve themselves with that. The bad thing I think is that as we continue to improve our cybersecurity posture, our cyber incident response posture, our adversaries are adaptive. And I think whether it’s 5, 10, 15, 20 years down the road, I think that while we improve, they’re still going to find ways to get around that. And I think until we can get ahead of our adversary, then we’re always going to be in this catch-up type of game.

Bryson Bort: 

All right, Erica, have you composed yourself?

Erica Mitchell: 

I have.

Doug Fletcher:

Aren’t you going to ask her different questions?

Bryson Bort:

They’re the same questions. That would be funny. That would be great if I did mix it up and be like, “Are you ready? Now, completely something different.”

Erica Mitchell: 

So I’m like the person who wishes for more wishes. If I could wave my magic wand, I would want everybody to get it. I would want everybody to understand the actual risk. And from that, I would expect that people would get the business case for spending money on cyber security. I would expect that security would be baked into every piece of hardware that ever connects to the internet ever. I would expect that firmware would always be upgradable, and if it wasn’t, people would throw it out. And I would expect that privacy settings for devices that you connect to the network would be very granular, and you would be allowed to make decisions on your own home devices as well as our devices that we place on enterprise networks. So I’m the person who wishes for more wishes with my wish.

Bryson Bort:

All right. You’re still on the hook for prediction.

Erica Mitchell: 

So my prediction is, the good thing that would come of that is that you would have a lot of inherent security. You would put adversaries in a defensive posture where they’ve got to work that much harder to get into your system. It’s not, let me go out on the dark web and grab some script kitty stuff and be able to get in, or let me use Shodan.io and find whole network devices or devices at state capitals because they’re out there. But the downside to it is really going to be expense. Security costs money and that expense is going to be passed on to consumers in the case of doing it as part of your business case and spending the money on security for your company. It’ll inevitably be passed on to consumers. And right now our economy is a little interesting due to COVID. However, I think once that initial expense happened, it would be much more manageable in ensuing years. So by the time you hit the five-year mark, you would probably be reaching more steady state operations, although your past five years you would have taken a bit of a loss.

Bryson Bort:

All right. This is a grab bag. Anything that you would like to add or close with?

Erica Mitchell: 

Doug, do you want to go first?

Doug Fletcher:

I really want to say that the Jack Voltaic series does offer not just the army, but communities a unique perspective into cyber security and cyber incident response. It’s a tool that we can use to help us better understand this crazy domain known as cyber. But most importantly, it’s a tool that I think… and something that we can help get after all of these wishes and dreams that we’ve talked about here, but also to just help the country be more secure and help the country be more resilient. As we’ve seen with how we’ve developed and refined responses to physical incidents, I believe that we just got to continue to practice and look at how we can get better and get to where cyber incident response, they get the same repetitions and feeling for that.

Erica Mitchell: 

And for me, I just want to add that we are still pursuing the Jack Voltaic research objectives, and actually our way forward moving on, we’re looking to automate a lot of the process to reduce that planning time from 18 to 24 months to preferably days. So be on the lookout in the future for possible beta testing of a planning tool if you’re a municipality that’s looking for a way to self-assess where you’re at with your critical infrastructure security. And I appreciate you having us today, and I always love to be able to proselytize about security.

Bryson Bort:

Amen.