Strategies for Industrial Resilience: Insights from Mark Mattei

Transcript

John Vecchi:

Well, hey there everybody. You’re listening to the IoT Security Podcast live on Phosphorus Radio. I’m your host, John Vecchi. And if you’ve been listening to the show lately, we have definitely been spending a lot of time talking about the industrial area, industrial control systems, OT environments, all that’s happening there, and we are going to continue that today. We’re going to take a different spin on it today with our very special guest today, Mark Mattei.

I’m going to introduce Mark, and we’re going to talk about Mark’s focus, comes at this from a different angle, actually more of consultative managed services. He’s got lots of experience in this. This is going to be very fun because we are going to have an opportunity to get an insight from Mark’s perspective. So let’s go ahead and introduce Mark Mattei. Mark is the Global Director of Industrial Managed Security Services and Incident Response at 1898 & Company. Mark, man, it’s great to have you on the podcast. Welcome. Thanks for joining us today.

Mark Mattei:

No, appreciate it. Thanks for the time. It’s always good to get out and talk to folks.

John Vecchi:

Absolutely. So look, we got a lot to cover. I love your background. It’s really why we wanted to have you on and just talk about a range of things today, and I want to talk about what your focus is and how you got there. But can you tell us just a little bit about 1898 & Company so our listeners can understand where you guys come from, what you’re doing, how critical … You’re really providing something very critical. I don’t think most people will understand that, so just enlighten us a bit.

Mark Mattei:

No, thanks, appreciate it. So 1898 is the consulting arm of Burns & McDonnell. Burns & McDonnell’s is a large AEC, basically industrial critical infrastructure construction company. And 1898 provides the consulting services for the Burns & McDonnell client base. So that includes consulting services on EUC infrastructure, any type of management infrastructure, and of course cybersecurity.

I, as you mentioned, lead the managed security services business line for 1898, and of course we have a large security consulting business along with that managed security line in 1898. I joined 1898 about three years ago from another IT managed security business. I spent about five years building out an IT managed security services business, and there we were providing support to some industrial and manufacturing clients as well.

1898 and the security business, of course focuses on industrial critical infrastructure clients. So we provide not only security consulting for the OT or the operational technology side of the house for those clients, but really for the clients across the board. So from a managed security perspective, we provide managed security services for enterprise OT environments, enterprise IT environments, really the full gamut of the support that the clients might need across the board for their cybersecurity needs.

And that really comes with a huge background and history for critical infrastructure themselves. So all of the focus that 1898 has, the experience that they have come from the 126 years now for Burns & McDonnell. So Burns & McDonnell, 1898 is the year Burns & McDonnell was founded.

John Vecchi:

Got it.

Mark Mattei:

So we have a long history of supporting critical infrastructure across the board. And 1898, really for about 25 years now has been providing consulting services, really for about 7 years cybersecurity consulting services, and about 4 years now, managed security services. So a 24 by 7 threat detection, hunting, security platform management across the board. So we’re partnered with a lot of the OT security companies out there and we support all sorts of critical infrastructure, pretty much all the verticals from an industrial critical infrastructure standpoint.

John Vecchi:

And that’s interesting because obviously when we talk about IT, OT convergence and you guys live it, you can manage the entire IT, OT side. So I mean, and it sounds like-

Mark Mattei:

That’s correct.

John Vecchi:

Yeah.

Mark Mattei:

And as I’m sure your listeners know, it runs the gamut of different types of networks. Some networks are flat and have all of their OT IoT devices alongside their enterprise IT devices on separate networks. And there’s clients who have the segmentation and the air gapped, if you will, networks for OT systems that are critical.

A large client base for 1898 and Burns & McDonnell is the energy and utility space where there’s a lot of regulations with respect to NERC CIP requirements, which require the perimeter of those OT systems to be in place. But then there’s other critical infrastructure that don’t necessarily have that well of a segmentation base starting out as they go down their cybersecurity journey.

John Vecchi:

So obviously electrical grid, is it oil and gas as well? Does it cover all types of, I mean, you name a critical infrastructure utility, you guys probably work with them. Is that safe to say?

Mark Mattei:

Yeah, I like to say cement floors, not carpeted floors when I talk about industrial critical infrastructure. So whether that’s a manufacturing floor, an energy, we do a lot of work with pipelines, natural gas. Now the big thing is renewables. So we’re working a lot with companies on their renewables, whether that’s from the asset planning capabilities, whether that’s from the projections. And then of course the cybersecurity needs across the board with respect to oil and gas and utilities and energy and critical manufacturing, all of the industrial focused clients that we have.

John Vecchi:

Yeah, very interesting. As I often say, Mark, it’s a small world, the OT, ICS side of the world. Tell us, did you start more on the IT side, then move into the OT side? Or was it at the same time, was it the other way around or how did you get to where you are because it’s always so fascinating to talk about? You know it, right? There’s really a big shortage in experts like yourself in this industry, right?

Mark Mattei:

Oh, absolutely. The shortage is out there and I think people can make transitions, whether they’re coming from the IT side or whether they’re coming from the OT operations and compliance side, they can get into those. So I mentioned that I was in a managed security business that supported critical infrastructure as well. It was IT MSS, but we supported critical infrastructure.

But before that, I was in the Army for 22 years. So I spent a lot of the time really building from a network standpoint and really building on security from there. Part of the time I was in the Army, I spent three years at NSA, and some of the focus that we had there of course was protecting critical infrastructure. A lot of the things that DHS and CISA are involved in, the National Security Agency supports with respect to threats against the nation, if you will.

So I did a lot of learning about critical infrastructure when I was at NSA, and that just really took off. Really way back in 2004 when I started and I ran the Army’s Global Network Operations Security Center, I really got paranoid based on all of the nation state attacks that were happening against us, and at that time DOD across the board. And that really led me down that path of focusing on what was most critical.

My decision really to come to 1898 and Burns & Mc’, really is from an altruistic standpoint. Being in the Army for 22 years, I still care deeply about the nation’s defense and I like to call our critical infrastructure operators really the new militia, if you will. So it really is the folks that are on the line.

We have one client, it’s a department of public works, provides water, and it’s really impossible to think about when you take all the individual local utilities, the co-ops, all of these individual providers that they could basically defend against China, Russia, Iran themselves. It really is the new militia when it comes to defending our critical infrastructure is these critical infrastructure operators.

And sometimes it’s one IT guy and his job is responsible for IT and defending the entire infrastructure that they have for that town or that rural location or whatever it might be. So helping those types of clients is really what motivates me, if you will, to help support our critical infrastructure base.

John Vecchi:

And I mean just that image you just outlined there, the reality of that for a lot of the critical infrastructure, there’s not massive teams. They don’t have huge cybersecurity teams like enterprise corporations with massive budgets and big IT security teams. You mentioned operators, it’s a different breed, they’re in a different world. So let’s talk a little bit about that.

And I can imagine with your years in service, and thank you for your service, in the NSA, and you just go back to a Stuxnet in 2010 or so, and then you fast-forward to today and you just see this unbelievable pace of just highly sophisticated threats and attacks and malware, Industroyer and Havocs and then Industroyer2 and Pipedream and now you’ve got the FrostyGoops and the Fuxnets of it. It’s really quite staggering. I mean, if you just looked at even the last year, it’s almost breathtaking the number of types of threats that are targeting this.

But then on top of it, I always say, don’t forget about ransomware gangs. Don’t forget about other types of threat actors that are looking at this stuff. We call it extended internet of things. IoT, as you said, it hangs out mostly in carpeted areas, but don’t forget, a lot of that IoT stuff can be coexistent in OT environments, but then you got the OT and ICS and the industrial IoT and all this stuff, and these devices are not in a great state of security. So given you, that altruistic sense of, I want to help this, you are up against quite a challenge, right? Talk a little bit about that.

Mark Mattei:

Yeah, right. And you mentioned all the things, right? Just the local recent stuff about Volt Typhoon and all of the different threats and attacks out there. They’re getting more and more sophisticated and more and more targeted against the critical infrastructure sector.

Part of my thought process with managed security services and incident response is if you get a good response plan in place, if you get threat detection and hunting capabilities in place and you have tools and you get good return on investment for those tools in those environments, you really can jump the maturity gap. NIST has a maturity gap. Gartner has put out their timeline, the wow factor of when critical infrastructure or physical, cyber-physical systems come out.

You really can get a good bang for your buck when you’re talking about getting threat detection in place and having practiced tabletop exercise incident response plans in place because it really helps you with your maturity. And it’s almost like a force multiplier because as you get those in place, you realize the architectural vulnerabilities and the security challenges that you have that help get fixes in place for those type of things.

Whether it’s fixing your segmentation because now you have visibility of your network and you’re going, “Okay, I have all these assets, I have this visibility. Now I can fix the things that I see.” And you put a plan in place while you’re getting the infrastructure in place. So it absolutely is a challenge and helping the clients with that is hard.

We talk about the 1898 client base in industrial critical infrastructure, a lot of the folks, the regulated utilities have to go back and do rate cases in order to get money. It’s not an easy thing when you’re talking about being able to fund the cybersecurity needs, because you have to go do a rate case or you have to figure out how to get capital funds in order to put programs in place. And then you got to work through how do I use the capital funds to put an operational system in place for threat detection or any OT security tool? How do I do that? And its challenges across the board.

There’s the technical challenges for actual security procedures and architecture and segmentation and those things, but there’s also challenges navigating the budgetary concerns, the financial concerns, the return on investment of the tool capabilities. How do I do different POVs with all of the different tools that are out there? What’s the best bang for the buck depending on what tool, based on my architecture, what my outcomes need to be?

Because everybody’s a little different with the current tools they have and they need to get value out of those other tools, nevermind meet from a utility standpoint, when you talk about NERC CIP medium and high, how do I meet those compliance requirements when I’m basically being told to? There’s the new 2024, allowing to put base electrical system cybersecurity information, BCSI, into the cloud. How do I navigate that without getting the auditors to ding me on being able to protect my BCSI in the cloud?

We have the upcoming security monitor, internal security requirements with CIP-015 that are coming out. Even just trying to navigate what do I do for regulations, like with TSA and the pipeline regulations, how do you navigate that as a pipeline operator? All those different things and all the different regulations, what the EPA is putting out with water. Water’s becoming a big target because of the way that it’s out there. So I worry about basically power, energy, oil, gas, pipelines, water. I worry about all of those pieces and how to navigate getting the resources to get those things protected.

John Vecchi:

And I mean the operators, if you’re a typical operator and you just sat and heard you walk through that, their head’s probably spinning. You know what I mean? Again, all of what you said is over the backdrop of critical operations and devices that are critical and everyone’s allergic to doing all kinds of things that will interrupt or interfere with them. And so on top of all of that, you have the operators saying, “Whoa, whoa, whoa. Take it easy. These are critical things. I can’t afford anything to happen to them.”

So it’s like, wow, you’ve got the technical hurdle, you’ve got security issues, you’ve got compliance mandates and all kinds of things. And then you also have their world, which is, “Don’t mess with my stuff or don’t mess it up. But at the same time, I hear you, I need to do something about it.” It’s quite a balancing act. And I can imagine you and your company, you guys spend a lot of time helping balance that and help them overcome those kinds of issues, right?

Mark Mattei:

That’s a great example. I spoke with a client last week or a couple of weeks ago, and you hear a lot about OT and IT convergence, and this utility basically is like, “No, that’s wrong. All the IT stuff is going to the cloud and it’s diverging. All the OT stuff is staying in the local data centers.” So you can’t get the economies of scale that you would like to by the convergence of OT and IT. It’s actually diverging and you need multiple sets of hands, if you will, to operate the different infrastructure as before.

So it’s a very interesting problem that you have because the IT started moving to the cloud mindset, and they’re basically now getting separated from the OT. And the operators of course, are not going to and can’t in utility BCSI medium and high cases, can’t put their stuff in the cloud easily. It’s just not an easy thing and it really is challenging for them, and they don’t want to have anything, right?

We support multiple OT security systems, and the biggest thing is the active querying discussion. We have the systems and capabilities that are out there that can do the active querying capability, even active remediation in some cases. But the conversation with the operators is like, it’s a long laborious explanation that you have to help them understand. And it gets down into technical details that the operators don’t want to or have time to worry about.

They can just say, “Well, I’m just going to leave it here. It’s going to be untouched. I’m not going to worry about it and it’s going to hold up for me.” But when you talk about from an operational resiliency standpoint, whether it’s a cyber incident or whether the system is just unpatched now, but you end up having an outage because of that thing.

1898 does a lot of work with INL, Idaho National Labs on things like CCE and cyber consequence engineering and CIE. And one of the things we like to talk to clients about is basically, what are your high consequence events? Let’s plan around what the worst day is and be able to mitigate and remediate fast when something like that happens, these high consequence events. And then you can engineer those high consequence events away and then be able to focus on the cybersecurity aspects because you’ve engineered that high consequence event away.

So there’s a lot of things that can be done, but as you mentioned, getting the resources and the folks that are trained to do this and understand it is hard because we’re short. I mean, the critical infrastructure cybersecurity community is small. There isn’t a lot of folks around. If you go on LinkedIn and you just type that in, you’re going to get the same 50 faces constantly because those are the folks that are making a difference in that field. So it really is a matter of, as you mentioned, getting folks to transition over to the, like I said, the modern day militia fight of protecting critical infrastructure.

John Vecchi:

And let’s talk a little bit about the infrastructure. You talked about, I love to use the term carpeted areas, non-carpeted areas as well, it just makes sense of the types of devices in the environments. And there’s a lot of different types of devices, and this sometimes could be confusing. We talk OT, we say ICS, industrial control systems. Or maybe if you’re a manufacturing facility, industrial IoT with all the robotics and things.

But you look at any general OT environment, and there’s a lot of types of different cyber-physical systems there. Obviously you have the HMIs and the PLCs and you got PDUs and UPSs and all the environmental sensors, you have gateways. But then mixed in with all of that, you do have door controllers, you can have some building management, you can have cameras and ruggedized printers and lots of different types of devices.

So when you approach a typical environment, how do you get your head around all those different devices? How does it come into the equation, I guess, when you think in terms of the cyber, given that those things are deployed around those, and you can’t just say, “Well, nah, those things are all in the carpeted side,” which they are. Some of them are intermixed within the critical environment, right?

Mark Mattei:

No, absolutely. You mentioned door control, building management systems. Burns & Mc’ builds a lot of data centers. So even if you just think about from a data center perspective, door controls, HVAC, power generation, it’s all local to a data center. So how do you protect that building? And then imagine inside of that data center, all of the infrastructure that’s there. So it really is a challenge and it really ends up being a focus.

A lot of it, the resources come down to it. A lot of clients can’t afford, rightly so, to have multiple different threat detection systems in place. So they have to make the best choice that they have for the types of infrastructure they have. So if it’s a heavily IoT type of environment, then they’ll look at that type of security. And of course, that mainly IoT threat detection system will take into account OT systems.

So I don’t discount, I’m partners with a lot of OT security and they’re all good. They all have all of their pros and based on the different architectures, based on the different device bases, based on the different areas, they’re all good to be useful. It’s just a matter of getting the return on investment on those, being able to know, okay, I have this tool and I also can get my building management systems. If I take a SPAN port from the network switch over here, I can get my DCS system for my power generation. A SPAN port over here, and I get them both into that same system and be able to use that as opposed to trying to patch together things.

The IT CISO community is now getting saddled a lot with the OT manufacturing side, and they’re trying to do the equation and cover down on that and you’re seeing that convergence of tools. I want one tool to be able to cover everything across the board, but my environment is 80% IoT as opposed to another environment, which is 80% OT because it’s a power generation or a refinery or a pipeline or a driller. But you’re seeing the same relationships and there really is a difference in the expertise by vertical.

Somebody who’s been in utilities and energy all their life really knows that stuff. Somebody who’s been in pipelines, gas and chemicals all their life knows those different types of infrastructure. Even the OEMs, they’re catering to that. Schneider, ABB, all the Rockwells, they’re catering to those infrastructure and they have the devices. But it’s not just about knowing what MODBUS is, it’s really knowing about what the functions of that apparatus, whether it’s a power generation or a pipeline does, and how that communicates and what those specific networks look like to organize how you do the protection of those systems.

John Vecchi:

Yeah, and you mentioned MODBUS again, things like FrostyGoop that specifically … Now here’s a piece of malware targeting that specific protocol, this evolution of these living off the land type approaches that are really looking at the fundamental, it’s really the device. They’re leveraging the device and using it in a way that’s actually capable of doing.

And so when you think in terms of the state of these devices, I’d love to get your thoughts on it. I mean, we have a labs wing at Phosphorus. We look at a lot of different stuff, and if you listen to this podcast, you’ll hear me talk a lot about what I call the fundamental security hygiene of these devices. Like I say, it’s 1994 all over again. Credentials, almost all these things deploy with default credentials-

Mark Mattei:

Default creds, yep.

John Vecchi:

… configurations out of the box, configurations default. Ports and protocols, wide open certificates are a mess to say the least. Firmware on average, seven, eight years old loaded with critical CVSs. It’s a mess, right?

So how do you see these? When you think in terms of why these threat actors, why even ransomware gangs, I mean, they see a bunch of these devices and they know they’re all deployed with default credentials I can look up on Google. That might actually be the easiest ransomware attack I’ve ever launched in my life. If I just go in and change all your passwords and then call you up and say, “I just locked you out of all your devices.” But how do you see the state of these devices when you live with them every day?

Mark Mattei:

No, so I think getting a handle on all the devices and the hygiene is one thing. The patching problem and updating problem is never going to go away.

John Vecchi:

Never.

Mark Mattei:

So focusing on just trying to continually patch, sure, you have to do some patching, but you really got to focus on what your architecture looks like and how do you mitigate the threat versus patch the vulnerability. So having a plan to come up with and say, “When there’s vulnerabilities released, I’m going to have a way to understand if that vulnerability is actually a risk to me, or because I have SMB blocked at my firewalls, I don’t have to worry about that. Or if I have these different ports blocked, I don’t have to worry about that PLC vulnerability because no one can ever get to it. Let me check that mitigation to make sure it’s in place.”

I provided an incident response to a client that basically had Conficker across one of their manufacturing plants. And here’s a little bit of the difference in the incident response for an OT perspective versus an IT perspective. When we did the incident response, of course, we found Conficker all over the manufacturing plant, we put the initial mitigations in place to stop the bleeding. And then we came up with a plan to remove the Conficker. Of course, the plant can’t shut down, so you can’t, right?

John Vecchi:

Right.

Mark Mattei:

Conficker, the way it spreads, you would spend a lifetime going from machine to machine removing Conficker just for it to spread again in the local area. So we put the mitigations in place, and because Conficker is just a process running on a box, we left it there. It’s probably still running on boxes within that manufacturing plant, but the mitigations are in place to stop any actual threat actors from doing anything with that malware.

As long as it’s not doing anything, then it’s just a software program running on those systems right now, and it has no effect or impact because the assessment was done to mitigate that risk a different way, not worry about patching the vulnerability or removing that malware from those systems.

John Vecchi:

Got it, a hundred percent. That’s the reality of the situation. Does that mean then that, like you said, you talked about you need to understand your architecture, your systems, all of that visibility of those devices. I mean, understanding at the very least where is everything and what you have, what is the attack surface? Does it come down a lot to that?

And look, like I say, I talk about this never bucket, which is never going to patch it, never. So now I want to know where it is. I want to know what it is. I want to know when it’s vulnerable, and maybe I’ll monitor it in some way. So does it come down to visibility in your sense? Or how important is ultimately just starting with really that full visibility, which might come back to that kind of, do we actively discover to get comprehensive visibility? Talk a little bit about that.

Mark Mattei:

No, absolutely. So getting visibility of course is one of the things that’s needed, and it really helps you define the risk that you’re under. If you don’t know how many assets or the types of assets, then you can’t really organize your risk and your risk mitigations to support that.

So knowing those assets is one thing. Having the capability to understand what risk they’re under, not just what vulnerabilities they have is a key piece as well. So this way you can mitigate the risks, understand the assets. And it helps you understand the architecture and the architectural vulnerabilities and risks that you have as opposed just the device risks.

And then you can do capital planning type activities of this is a device that hasn’t been made in five years and is actually going to run out of support within the next five years. So then you can make the case to change that device out and not have to worry about it. But if you don’t know that’s there, five years from now, all of a sudden you’re going to have this expense of I got to change this thing out because it has no support anymore, operationally. Not just from a patching standpoint of nobody’s making patches for it, but operationally, you can change it out. But we run into infrastructure all the time that still has Windows 7 running. It’s just a typical environment from a critical infrastructure standpoint, that that stuff ends up being in place.

John Vecchi:

You mentioned a little bit before, obviously these guys are under a lot of pressure on the mandate side, and you talked about things like NERC CIP. Again, here comes a whole nother thing. You look at something like NERC CIP, just start with the high level of it. It’s a asset ID risk assessment. There’s security management. You’ve got training. You’ve got physical security, incident response and recovery plans. I mean, boy, where do you start? Are operators really focused on this now? Have they come a long way, do you think, in just what they have to deal with on top of keeping this critical infrastructure operational?

Mark Mattei:

Because NERC CIP is a mandate, really, they’re able to make the case to be able to get resources to fix it. But it’s kind of a double-edged sword for them because they can get resources to make sure that they’re compliant, but the compliance doesn’t make you secure in all cases. So in some cases, compliance just means that you have a future plan in place.

Okay, so now I have a future plan in place, I’m compliant. I won’t get fined if I get audited. But what I really want to do is help secure the infrastructure, and I don’t have resources to put whatever other security things in place because I’m spending time making sure that I’m compliant in some cases. So there’s some double-edged sword for that, the NERC CIP case as the example.

John Vecchi:

Which is a lot. Even you look at all the things of late, CISA has been very active. Like you said, Homeland Security and FBI, they’re all coming out with new frameworks to protect critical infrastructure. And it sounds great, but I know if you’re an operator, it’s like, “I don’t know, man.” It’s like, “Just help me get secure.”

There’s just so many that a lot of those are double-edged swords. On one hand, it sounds fantastic, it sounds great. On the other hand is what’s realistic? I mean, for God’s sakes, we’re trying to protect the critical infrastructure. There’s so much, and I don’t know if yet another framework is necessarily going to do it for them.

Mark Mattei:

Well, no, I mean, that’s a true case. The mandates that are coming down from all of the different agencies, I mentioned EPA and TSA. Now TSA is focused on railroads in addition to pipelines. Those things end up causing people to do things that are well-intentioned to help support the security, but for their specific incidents may not be the most priority thing to do, but they have to do it because it’s a mandate, right?

John Vecchi:

Yeah. Wow. Well, I can imagine for those operators and customers to have someone like you, it’s got to be a precious resource for them, Mark, seriously. I mean, there’s so much, and like you said, there’s just not enough experts in any given organization that’s designated critical infrastructure. I can imagine that you’re a resource for them that’s so critical. I can only imagine.

Mark Mattei:

I’m blessed and I believe our industrial critical infrastructure client base is blessed when Burns & McDonnell, the construction company, saw the client need and decided to invest in security because they know that that’s what their client base needed. So it’s not me, we got a team at 1898 that really is focused on helping our critical infrastructure clients.

John Vecchi:

Yeah. Well, look, Mark, as we wrap up today, and you look at the industry you’re in, the state of it, the threat vectors that it’s only increasing, what advice would you have to any of our listeners, whether they’re just getting in this industry, whether they’re an operator standing out there on their island wondering, what am I going to do, and my gosh, do I ever need someone like Mark in my life? But what kind of advice do you have in any capacity for these guys based on all of your years of just looking at this stuff?

Mark Mattei:

I think it really is the ability to reach out to the community. None of the folks need to feel like they’re an island and that they can’t get help. Even if you just go to LinkedIn and start looking at OT security, #otsecurity or places like that, you’ll find people that’ll help. There’s a lot of folks out there like me in 1898 that we start our business conversations really with just, “Hey, what are your pain points? How can we help where you’re at?”

There really is just a lot of folks out there that will give free advice, especially to the folks, like I said, the small utilities that they don’t know where to start because it’s an IT guy who’s working for the director of public works. Or there’s two IT guys, and they report to the co-op’s general manager. And they’re trying to do IT as well as cybersecurity to protect their plant. And it’s hard for them to get even just a few dollars to protect their systems when in fact they need thousands, hundreds of thousands dollars of support to help get all of the systems in place that they would need to really protect that critical infrastructure.

It really is a field where I think people are willing to help if you reach out. There’s always a free conversation out there to get help, is what I like to say.

John Vecchi:

Yeah, I like that. And it really is true, but it’s a great point, and it’s very, very true. It’s a small world. It’s a small industry, but I think you’re right to those listening, just go look. There are a lot of people like Mark out there who are there to help. So it’s great advice. And so for our listeners, Mark, how can they get ahold of you? If they do want to reach out to you, what’s the best way for our listeners to reach you if they want to?

Mark Mattei:

You can go to our website, 1898.com, and my email address is [email protected]. You can email me. I’m on LinkedIn. Mark W. Mattei on LinkedIn. There’s plenty of posts out there and they can reach anything, right? We’re online and anybody from 1898, I’m sure will respond and help you.

John Vecchi:

Phenomenal. Great. Mark, we could talk a lot longer, I’m sure, but Mark Mattei, thank you so much for joining the podcast today. We’d love to have you back. We’re going to stay in close contact with you, my friend, so thanks so much.

Mark Mattei:

No, thanks for having me. I appreciate it.

John Vecchi:

It’s our pleasure, man. And remember, everybody, the IoT Security Podcast is brought to you by Phosphorus, the leading provider of proactive cyber-physical system security and remediation for the extended internet of things. Thanks again to our guest, Mark. And until we meet again, I’m John Vecchi. We’ll see you next time on Phosphorus Radio.