Florida Water Utility Breach – Follow Up

KINDSEY: Looks like it is right at 10:00, so we are going to go ahead and get started. Before we do start, I just want to go over the control panel here on Zoom for those that are not familiar with it. There is a chat box down at the bottom of your screen, so feel free to put anything in the chat box. There’s also a Q&A box, so you can put questions in the Q&A box or the chat and we’ll be monitoring them throughout the webinar. If it’s anything we want to wait until the end, we will definitely cover all questions at the end if we don’t get to it during the middle of the webinar itself.

Just a little bit about Tom. Tom has been a technologist for almost 40 years and a speaker for decades. He’s won multiple design awards and founded other technology businesses. He once had a software company that sold retail management software to the NSA, Sprint, AT&T, and other premiere golf clubs like Firestone and Pebble Beach. So he’s got lots and lots of experience when it comes to cybersecurity and technology. Let’s go ahead and roll it over to Tom.

TOM: Thank you, Kindsey. I see people are still coming into the room, but I’m not sure I can keep this to 30 minutes, so I’m going to go ahead and get started here.

This is a special edition of what we call our Deeper Dive series. These are normally every Tuesday at 2 p.m. Central Time, where we take certain security topics of interest – sometimes it’s from our main webinar. We may dive into NIST CSF or what’s an EDR, and we dive into it deeper to get a more technical explanation of the control or the policy, the procedure, just to help educate everyone on why these things have to be put into place and how you can go about it and what you need to do, what the next steps are. The audience is really a mixture. Managers, other technology companies, like maybe your IT company or your IT staff. There’s things in there for lots of different people as it pertains to cybersecurity.

Having said that, let’s get right into the attack and what we learned from it. First of all, there was reportedly no firewall installed. I would think that it probably had a firewall because I just can’t imagine not having a firewall these days. Even everybody’s home computer has a firewall. So, more than likely, the computer was DMZed. That stands for demilitarized zone. What that means is inside of a router, you can open up everything from and to the internet to a PC directly. It’s a very easy way to let people remote access a computer. Unfortunately, it’s the wrong way. You should never, ever connect a computer directly to the internet or DMZ a computer. Even we don’t do that because it is very, very risky.

There was none or insufficient secured remote access. So it either had none – and you can configure TeamViewer to not have any security on it at all. But I suspect there was security on it, or at least I hope there was, and the username and password were shared to everybody that needed access to the control. In fact, I know that to be true because they saw the attacker actually do the attack.

So it was a shared TeamViewer account, which you really shouldn’t do. You need accountability. We need to monitor logs for who, what, when, where. It’s not because we’re worried that somebody in the organization is going to do malicious things; we just need accountability to identify people or computers that are accessing a remote system.

Another thing that came up that was a red flag is this particular computer that was controlling the ICS, or the SCADA system, was Windows 7 OS. Windows 7 OS has not had a security update for a year and it will not have any more security updates. Microsoft extended the support life of Windows 7 I think at least twice, if not more. I think you could even buy an extension, even after they quit doing public extensions. The report didn’t specify if it was Home or Pro, but even if you wanted to buy more support, it had to be at least Windows 7 Professional. That you should not have in your organization.

And finally, there was poor or no administrative security controls. What I mean by that – these are policies and procedures that cost nothing to implement around things like, what are the credentials? How are we going to secure the login? How are we going to monitor this and make sure it stays secure and we can detect threats?

Just like in an airplane crash or a Space Shuttle disaster, there’s usually multiple things that led to the attack that allowed the attack to occur, and these were the ones that DHS, FBI, and everybody else determined are what led to this breach.

Now, what about the threat actor? This was a very unsophisticated attack. In fact, you can go on the web – any of you can; you don’t even have to go to the Dark Web – and you can get a list, or you can search all over the world, for unprotected computers and industrial control systems. In fact, another place or two, or 50 or 100 websites, list default usernames and passwords for industrial control systems. So if those haven’t been changed and they have access to it, they can easily – they don’t have to do TeamViewer. They can just get in behind the scenes and exploit it and do damage.

Because it was an unsophisticated attack, we don’t think – and I think it’s highly, highly unlikely – that it was a nation-state because nation-states, when they get in there, don’t want to be detected. They are an advanced persistent threat group, so they want to remain stealth and not be detected. Much like what we’ve found out happened with the United States and Israel’s attack on the Iranian plutonium centrifuge refinement operation. They were on that network I think a year or longer before the Iranians figured it out, and by that time at least 10% of their centrifuges had been damaged. That’s et back their nuclear enrichment program quite a bit.

So it’s most likely that this was a lone wolf or malicious insider. Those of us in the infosec business call these “script kiddies.” They know just enough to be a hacker and they can easily find all of this stuff. They don’t have to be technically skilled. They don’t have to be experienced in hacking. They can just do it. I could’ve done it. Anybody could’ve done it, what they did. It just takes – you can look it up on the internet, how to do these types of attacks. It’s very, very easy to do.

There were two components of luck here. Number one, the threat actor was lucky in that he actually got into a system that had little to no security and was very, very vulnerable. But the utility itself was also lucky. It was very fortunate that somebody witnessed the attack. It would’ve been better if they weren’t so vulnerable in the first place, but at least somebody saw it happening live and was able to mitigate it immediately.

Looking at CISA’s recommendations – and this is Alert number – well, you can read it there on the slide. I think Kindsey’s got a link for that that she’ll put in chat. There’s a lot more to this; I’m just summarizing it here. These are things that CISA recommends water utilities and other organizations do going forward to prevent something similar from happening to your organization.

Number one is update the operating system. No Windows 7. At least Windows 8 or preferably Windows 10 so you can get those security patches. On all remote access – Remote Desktop Protocol or TeamViewer or GoToMyPC, whatever you’re using, CISA is recommending multi-factor authentication. That is a third piece of credentials that has a time bomb on it that is only good for a very limited time. If you have a cash manager account with your online bank account, you’ve got username, password, and then you have a device that may be a hardware dongle, or it’s on your phone where you press a button and it shows a 6-digit number. It regenerates every 30 seconds, and typically that 6-digit number is only good for about 5 minutes.

Even in this case, even with the shared account, even with fully open to the internet, if they had just put in multi-factor authentication, the attacker would not have been able to access the computer.

They’re recommending strong passwords. That means not only complexity – nothing that can be found in a dictionary, because that can be brute forced with a dictionary attack. That’s where hackers take a dictionary and they automatically run through an entire dictionary to see if they can get in there. In addition to the MFA, you do need to have strong passwords.

They’re recommending to ensure that antivirus and firewalls are secure and up to date and patched with security updates. I crossed out “AV” there because of our own recommendations. Antivirus is just not good enough these days, but at least it’s better than nothing, but not much.

Another recommendation is to audit your network for remote access and security, and finally, identify and suspend access of users exhibiting unusual activity. In fact, it’s not just unusual activity, or anomalies as we say in the business, or security events, as we say. Every user needs an account. So it’s very easy, when someone leaves the organization – and this could’ve been a malicious insider that had an axe to grind, or maybe non-malicious; they were just fooling around – if everyone’s got their own account for remote access, it’s very easy to take those that leave the company or offboard employees – you just turn that account off and you don’t disrupt the other users of the remote system. So that’s CISA’s recommendations.

Yesterday I sent an email out and got a little bit of feedback on it. And I do appreciate the feedback even if it’s negative. But apparently the paragraph where I stated “The FBI post mortem results are in and I am absolutely furious. 15,000 people were almost poisoned. What more is it going to take for you to take cybersecurity seriously?”

It’s no secret in all of infosec and at EPA, DHS, every government agency, many of your state organizations, national organizations that have to do with the utility industry – it is no secret that water utilities are behind the times on security. The electric grid is much more secure, gas delivery is much more secure, our medical systems are much more secure, compared to water utilities.

One of the comments is “I do take cybersecurity very seriously and I must say that I am offended by your email.” Congratulations. I am happy that you take it so seriously. But you’re a minority, by far a minority. I don’t even know what the numbers are. We’re conducting a survey at some point. We had to mothball it because we were too far ahead. I hope to be able to bring that out to the water utility industry sometime. But I would say it’s likely that less than 1% of the 150,000+ water utilities in just the United States alone has implemented any sort of cybersecurity in their organization. They’re operating on a wing and a prayer, or they think they’re too small, nobody knows of them. Those are myths. If you’ve been to the main webinar, I break down a lot of those myths.

Another one remarked that “We are bombarded with too many overstated, inaccurate, Armageddon-threatening claims and advertisements.” I apparently lost my credibility on that. That one hit me a little harder, and I started thinking about that.

The fact that I visit that area of Florida quite often – it’s one of my favorite places to go in the country; it’s a beautiful area. The people there are wonderful. Just really, really enjoy it. But that made it ring home, just like 9/11 made the World Trade Center, the Twin Towers – that rung home with me because every single time I went to Manhattan, I went to the World Trade Center. I was going to the World Trade Center before the first bombing that most people forgot about, and then after that, because it was such a beautiful site. It was very easy to go up and everything.

I think the same way about that. I have a personal connection to the area. And not just me perhaps being endangered – and I’m not a water treatment specialist, okay? No more than I expect you guys to be a cybersecurity expert. We are here to help. And maybe it was overblown in the headlines and things like that. But at the very least, it would’ve done damage to the infrastructure, even if it wasn’t possible.

But why would I think that the redundant checks and everything in place would’ve been any more reliable than the obvious vulnerability that was intentionally allowed to happen in the first place? You can’t install TeamViewer and not have any security by default. You have to actively go in there and turn off all those things. You have to actively go in there and DMZ the machine. You certainly never connect a computer directly to the internet.

So my main thing is it’s not inaccurate. When I talk about all these threats, I see threats, dozens and dozens. I could find hundreds every day if I could digest that much firehose of bad news. But all of us in the infosec business understand that everything is vulnerable to some degrees. And when we see an industry that is so far behind the times, we realize that this could create an Armageddon-style event if nation-states, terrorist organizations coordinated their attack.

So I began thinking about that. What is something that I went through, participated in, beat the drum about, that is a similar scenario?

That was the Y2K so-called “non-happening” event. Me and many others, colleagues and vendors and employees and things like that, were beating the drum that Y2K is a serious event that could happen. We had to beat those drums. We couldn’t beat them loud enough. We continued to beat them for 1997, 1998, 1999, because we knew the ramifications.

For those of you that are a lot younger than I am, what was happening there is because of decades of software coding when computers had such limited resources, it didn’t know what century it was. One of the things that could’ve happened is when January 1st, 2000 triggered, it’d automatically roll back to 1900, or it’d just quit working. It could’ve been anything. Critical infrastructure devices, hospital systems – all of these systems have been built on systems and built on other systems and built on other systems.

But ultimately, there was a bunch of mainframes and legacy applications out there that programmers at the time said, “RAM will be cheap and storage will be cheap, so we’ll fix it then.” After building all these systems on top of systems on top of systems, they couldn’t pull the plug. It wasn’t going to get rewritten by the time Y2K hit. So alarms had to be sounded.

Now, here’s the deal. Because so many of us in the industry beat those drums, the U.S. government and other agencies and the private sector spent hundreds of millions of dollars to mitigate this and to lessen it. Kindsey and I were just speaking about this because it’s a little before her time. After it hit, it was a non-event. Nothing really catastrophic happened. But that was because of all of the massive amounts of drum beating.

So if you think this is unsubstantiated, incorrect, misleading, for those of us that are beating these drums for this possible cyber event, you’re just wrong. I’m going to keep beating those drums. But the comment I left in there when you guys first joined about you guys that are on this webinar – you guys truly are leaders because you’re trying to do something like this. I would encourage you to talk to your peers and your colleagues and escalate the seriousness of this topic.

This one we played Tuesday as well. It’s very brief; it’s under a minute.

Klaus Schwab: We all know but still pay insufficient attention to the frightening scenario of a comprehensive cyberattack, which would bring to a complete halt the power supply, transportation, hospital services, our society as a whole. The COVID-19 crisis would be seen in this respect as a small disturbance in comparison to a major cyberattack. To use the COVID-19 crisis as a timely opportunity to reflect on the lessons of cybersecurity, communities can talk and improve our preparedness for a potential cyber pandemic.

TOM: That was Klaus Schwab, the founder and leader of the World Economic Forum. If you guys follow the news, about 2 or 3 weeks ago they were in Davos, Switzerland. That’s where business leaders, community leaders, government leaders all converge to “what is the big think going on?” They do a lot of other things besides cybersecurity. They’re really a force to be reckoned with in the world.

Klaus is pretty much one of the smartest people on the planet, so if you’re not going to listen to me, at least heed his warning because the seriousness cannot be overstated.

What he’s alluding to is what we witnessed in the switchover to COVID, that March of 2020 thing when people were remote working and all of these different things. What he’s alluding to is what we saw just in cybersecurity alone because of the COVID pandemic. Our company instituted over 200 remote access workstations in a matter of 2 weeks, and we did it securely – multi-factor authentication, virtual private networks and all of these things. It was an all hands on deck event in order to keep our clients up and running and productive, not disrupt their business.

At the same time, we saw a tremendous escalation – I would say it’s about a tenfold increase – of attackers hitting remote access technical controls. In other words, they were looking for unsecured remote access computers. They were doing brute force attacks on Remote Desktop Protocols and TeamViewer and LogMeIn and GoToMyPC. All of these things were being attacked. We saw it literally every single second on our networks, on our client networks.

What Klaus is alluding to is imagine if there’s a coordinated nation-state effort to disrupt the water supply or the electrical grid, or four or five sectors, like the attacks on hospitals because of COVID. All of those things increased dramatically. All of those cybersecurity attacks increased a lot, and these are just a handful of the headlines. Just a small sampling. In fact, I took several off there because it was too little. Couldn’t read it.

This is a real possibility. If you understand the tools that nation-states have now – remember the Stuxnet virus that I was talking about, the Iranian centrifuges and everything? The NSA itself was breached, and not only are those tools available on the Dark Web, the source code is. So now, for the last couple of years, we’ve been seeing that Stuxnet, that’s designed to attack an industrial control system – they’re changing the source code to where it’s not attacking a very specific Siemens controller that was only used in centrifuges that only exist in Iran – they can modify that code to attack any industrial control system they want, and other systems for the matter. And they’ve been deploying this since the NSA tools are now available in the wild.

You can call me an alarmist all you want to, but this is serious stuff, and critical infrastructure has got to be protected.

Yeah, that’s a good point, Scott. Almost all industrial control systems have big problems because it’s firmware, and they’re behind the ball on it, too, which makes it even more important that you guys secure your network.

So, how do we get past this? What’s the best way? The very first thing you’ve got to do is identify what needs to be protected. Industrial control systems, billing and accounting software, personnel files, customer files, customer personally identifiable information, credit card information possibly. You’ve got to identify all those things.

Now, if you go through the AWIA, which many of you either are required to or perhaps you’ve been recommended to do it, that’s part of it. That’s Step 1. That’s the first thing you have to submit. The second one is, what’s your plan? Well, I’m here to tell you that’s not enough. I commend the EPA for launching it; you’ve certainly got to do an assessment of some sort.

But more importantly, you’ve got to respond to it. You’ve got to actually protect these assets that are vulnerable. You take your assessment report and go, “Oh, we don’t have an EDR. All we’ve got is antivirus.” Well, okay, you’ve got to swap that out. Maybe you’ve got industrial control systems connected to the internet. Arguably, I would say you need to protect them either way. The Iranians thought their industrial control systems couldn’t be breached because they weren’t connected to the internet. That didn’t work out too well for them. An amateur hacker knows how to get around those kinds of safeguards.

So you’ve actually got to implement things that are outside the scope of AWIA. You’ve got to do these things that NIST set up, and do all of them.

You’ve got to have procedures – the controls. Administrative, technical, and physical controls to actually detect security anomalies and security events and actual attacks. You’ve got to detect those suspicious ones. You’ve got to look into those. And if you’re doing it properly, you’ve got human beings on it, looking at something that’s just suspicious. That’s where it requires security experts. That’s where the cybersecurity or infosec, information security, industry is different than IT. They have differing objectives, often in conflict. You’ve got to keep in mind, cybersecurity is not an IT specialty. It’s a security specialty. We get into things like physical security and personnel issues and training, things like that. These are security things, not necessarily IT stuff.

You’ve got to respond. You’ve got to know what your response plan is and who’s going to respond. Are they trained to mitigate threats or to stop an attack? How did this attack occur? What do we do right now, and then what do we do later, when it’s time to recover?

Do we restore from backup, if it’s ransomware? Or maybe it’s a natural disaster. Flood, tornado, hurricane. We’ve got to have a plan in case the whole place is gone. The work center’s gone, the office is gone. How do we keep that water flowing? How do we recover our accounting files? How do we send bills out next month? You’ve got to have a business resilience plan. Some people call it DR, disaster recovery. And then there’s business continuity. There are technical differences between those three, but generally we just lump it under the same umbrella for the purposes of our educational series.

So we developed our own recommendations. Some of these correlate very well with CISA. We obviously need to secure any remote access systems. I recommend you guys monitor ICS, because that was not a sophisticated attack. If it was an actual nation-state – and think about this. You go, “Why would Iran attack this little water utility? We only have 5,000 customers, or we only have 50,000.” I want you to think about all the industrial control systems. Scott mentioned Siemens has the big issue. How many of you have the same Siemens industrial control systems? It doesn’t matter if you’ve got 300 meters or 300,000 meters out there, or customers, however you phrase that.

If I really wanted to do damage and I really was a nation-state and I really wanted to coordinate an attack, I would go after the most prevalent industrial control system out there in the water industry, or the electric grid, or whatever it is that I want to attack. The only way you can protect those devices from advanced persistent threats is to monitor the logs. That way, we don’t care what the operating system is. We don’t even care who the manufacturer is. We can actually see that device and what’s going on and detect security anomalies or things that need to be investigated.

Deploy EDR. That’s endpoint detect and respond. It is a multi-generational evolution of the old traditional antivirus. It uses artificial intelligence and machine learning that detects behavior anomalies. There’s no virus to be detected in a ransomware attack. Only an EDR can detect it and maybe stop it.

You’ve got to establish a security-first environment. Just the fact that you’re on this webinar, I know that each and every one of you is taking this seriously. You’ve got to establish leadership around cybersecurity. It’s no different than putting your seatbelt on, locking the door to the office at 5:00 or whenever you close up. Who’s got a key? You’ve got to treat cybersecurity just like that, where you almost take it for granted. In a secure-first environment, everybody is going to understand the whats and the whys and the hows they go about making that environment secure.

It does take effort. All good leadership takes effort. But you’ve got to lead. You’ve got to lead your utility down that road. “This is what we’re doing, this is why we’re doing it, and this is how we are going to do it so we don’t suffer the same fate as the dam in New York that had an event, as what happened in Pinellas County. This is why we’re doing these things. It’s not a hassle. It’s something that just must be done.”

And then finally, like I mentioned earlier, engage security specialists, not IT specialists. IT is not where you need to go. In fact, we’ve got an IT partner program because we love working with an IT staff or an outsourced IT company. We’re not a threat to them. This is our specialty. We don’t expect them to know everything about security, just like we don’t know everything about water treatment or even your network. That’s where your IT team comes in, and they can find other things during the risk assessment that we need to address.

I went just a little over. My apologies. Having said that, we’ll stay here as long as we have any questions or comments. If you’ve got a microphone, just raise your hand or say “I’d like to speak.” I’d be happy to turn on the microphone for you.

Security risk assessment, we’ve just gone up on our price to $795, but today, the link is in the chat box – if you click on that link and enter that code – and I think that’s only good till midnight – we’ll take $500 off that security assessment. It will outline what needs to be done in your environment to dramatically, and inexpensively, increase your defense posture from all sorts of attacks based upon where you’re most vulnerable and what your environment is. So I encourage you to do that. There’s no obligation. If you spend the $300, we’ll apply that to any services going forward. So there’s really no risk. And it’s not that painful. It’s designed to be an executive summary of vulnerabilities and things like that.

We can do other types of things. We can do a vulnerability assessment. That’s where we do things more from a technical aspect, where we probe things. If you’ve heard of penetration testing – I think I mentioned this earlier in the webinar – you need to put stuff in place before you do a pen test. And I highly recommend you do one. They’re expensive if you do it right, with a true penetration tester. But you need some security in place. You don’t want to start with nothing. You walk through the steps of NIST Cybersecurity Framework, AWIA, you implement your technical, administrative, and physical controls, and then when all that settles down and you think you’ve got everything licked, then you hire a penetration tester, if you’re that paranoid. Which I think you should be.

But if you just do the first part and do the bare minimum – we can put an EDR in, everybody out there, if you’ve got five users or less, for $50 a month. And it will dramatically decrease the chance of a ransomware attack and other events from happening in your utility. In fact, all of our clients that we put EDR on have never had a successful ransomware attack.

That link does expire at midnight, right, Kindsey?

KINDSEY: Yes, it does.

TOM: We’ve got a couple of questions here. I’d love to answer them. “Will the items you’ve discussed so far protect against a more complex attack? Update OS, MFA, strong password.” Yes, absolutely. Let me just take one of those because there’s a lot to unpack there.

There are known vulnerabilities in Microsoft Windows and Mac OS, iPhone OS, Android devices, and industrial control systems. So by keeping the software updated, whether it’s an operating system or Microsoft Office or Safari web browser or Chrome, Firefox – just imagine all the pieces of software you use that connect to the internet – they discover vulnerabilities going forward. Those vulnerabilities are published, unless it’s a zero day event, but those are rare. They do occur. That’s when an unknown vulnerability is actually known to be exploited. But the vast majority of them are vulnerabilities that you can look up. I can run a piece of software on my computer and query your public IP address, discover the services that are on your network, and it will report back to me the unpatched systems and the vulnerabilities and how I get in there to access that system. Anybody can do that. Any experienced hacker can do that.

MFA, absolutely. Strong password. These are really just the basics that you’re talking about. These are the things that you should have in there to begin with. Now, the more complex attack goes more to Jacob’s question: “Can you elaborate a little more on the point of monitoring logs for identifying potential security anomalies?”

These are what’s known in the business as a SIEM. I’m an old guy, so I’m old school in pronunciations. S-I-E-M. These technical controls ingest logs from Internet of Things devices such as ICS. They can ingest a log from a printer. They can ingest a log, or the data, from a router. And all of these logs keep track of who’s accessing it, what they’re doing, what’s being changed, and you set up triggers to alert you of an anomaly. Why is somebody changing these settings on a router? It was unscheduled, it’s unknown. How do we need to respond? What’s the attack vector? SIEMs are usually monitored by humans. It’s another bump up on the level. We don’t always recommend it; some people don’t have a budget for it. It’s not that expensive. If you’re highly, highly automated, you’ve got a lot of industrial control systems, you absolutely need it.

But just the very act of doing the basics first dramatically increases your defense posture. In the case of an EDR, it will detect things and prevent attackers from exploiting server backdoors or exploiting known vulnerabilities in operating systems. So a little bit of this is walk before you run.

Security information and event manager, Jacob. Yeah, we can see into those devices. Doesn’t matter if it’s Siemens or Johnson Controls, whatever it may be. We can see in all those different devices. Routers, switches, even. Many switches. Most switches these days.

Are there any other questions or comments?

KINDSEY: Yeah, there’s still some in the Q&A box, it looks like.

TOM: Oh, they must be at the top. “What is involved in the SRA for $295?” I don’t do those, but I’ll take a stab at it. We basically take an inventory assessment of all of the hardware. We do an assessment of your security maturity, like what’s the level of your awareness? Are you getting training? Do people write their passwords down on sticky notes, or do you have a password manager? Do you have active patching going on on your systems? Is your operating system being managed by an IT company? And that falls under the purvey of IT companies. We don’t do patching unless you guys don’t have a good IT company, or they don’t actively monitor patching. That’s some of the things. Kindsey might be able to add a couple more.

KINDSEY: We don’t take very long, either. Maybe 20-30 minutes of your time. It’s pretty much we just need to get a general overview of what you have in place, what you don’t have in place, and where you’re vulnerable. That’s really what it comes down to. We want to make sure that you understand all the risks and the vulnerabilities that you currently have and what you can do to fill those gaps and those holes.

TOM: Yep, that’s it. There’s a few other things on there, but it’s not meant to be a vulnerability assessment. We can do those for another price. That’s where we actually go and see if you’ve got any open ports to the world. It’s actually an internal and external vulnerability assessment.

It’s really not useful for very, very small installations, because we do require centralized security to be in place, like a windowless server that you actually have to log into, because it’s more secure to do it that way. If you don’t have an ADE, an active directory server in place, the internal vulnerability assessment is really not very useful. We can lock down the external stuff because that’s what we do in practice. If you engage with us, we go into the router and make sure it’s secure.

“How fast can the assessment take place?” If you click on that link and get on the calendar, the quicker the better. We had a big turnout for this, so I can’t see it, but I’m sure there’s already assessments taking place. The sooner you get on the calendar, the better. Next week we are beginning a number of series of webinars where we present that at the end, just like I did today, so our calendar is quickly filling up. Literally as we speak. So the sooner you get that on the calendar, the better off. No obligation. You can back out. You don’t have to put your credit card in or anything like that. We’ll get with you and get all the details later.

Any other questions?

All right, I want to thank everybody. You guys are truly leaders just by being on here. Let’s all lead and get secure systems in place. I can’t overstress that. It’s not inaccurate. It’s serious. I’d love it if the water utility industry would get up to par with other critical infrastructure.

Don’t forget, every Tuesday at 2 p.m. I usually do these very casual, by the way. It’s not all gloom and doom. We have a good time on the Tuesday Deeper Dive. Sometimes it’s just a good time. So I encourage you to sign up for those. Just get on our mailing list. And we will see you next time.