Curse of Cassandra or Hype of Chicken Little? Sorting Out Fact From Fiction On Operational Technology Security Risks

Mitch Mayne: Attacks on operational technology or OT, the systems that control industrial equipment, these were once the domain of Hollywood who rolled out special effect disaster movies about nuclear power meltdowns, collapsed power grids, and poisoned water systems. Well now life may be imitating art and we could be heading into a period where disasters that once only lived on the screen may have a very real chance of occurring. In this episode, we'll examine just how real or imaginary the threat to OT might be. Joining us is Chris Kubecka. She is the chair of the cyber program at the Middle East Institute and she'll help us unpack fact from hype. Her work with MEI has given her a unique expertise on OT safety, given the heavy deployment of OT technology in the region. As such, she's got a keen eye not only into the security of the technology, but also the impact a serious breach could have on economies around the world and the cost on human lives. I am Mitch Mayne, and you're listening to Into the Breach. So Chris, thanks for being on Into the Breach today. We appreciate you joining us.

Chris Kubecka: Oh, thank you so much for having me.

Mitch Mayne: Chris, I want to start with the basics since we're talking to you as you work with the Middle East Institute right now, and I kind of want to give the listeners a primer on who MEI is, Middle East Institute, and I know that you guys started with an emphasis in the Middle East, but with cybersecurity over the past 24 months or so, your scope is significantly more grand than Middle East.

Chris Kubecka: Yeah, Absolutely. So the Middle East Institute started 75 years ago. We started with this focus of trying to enlighten the US and North American public about the things that are going on in the Middle East, whether it be culture, education or news. And recently we expanded to include cyber technology to discuss some of the emerging tech that's going on and also the effects of technology on civil society. So things like disinformation or censorship for political purposes. One of the very interesting things I find about the region is the fact that not a lot of people in the western world know really what goes on in the Middle East, much less the tech world. I mean, we might hear negative news about the Middle East, but never some of the positive portions of information. We're trying to bring that to the US public as well as right policy for the US and the Middle East, which actually works. One of my pet peeves is the fact that sometimes when tech and policy merge, many times it isn't actually implementable or the greatest of tech policy because most of the time tech policy is not written by technologists, but lots of lawyers. My goals are to be very impactful, for instance, about a year ago we were asked by the UAE government to write the cyber addendum to the Abraham Peace Accords. So we wrote the world's first cyber peace accords last year because quite frankly, our entire modern world is technology and it can be used for good or not so good.

Mitch Mayne: Well, you bring up a good point because the Middle East is still a mystery to most of the western worlds. Speaking specifically of the US and what they do technologically over there is extremely interesting. As I have become professional friends with you, it's like I've started learning more and more about the technologies that they're developing, how they're applying them, and it is a little bit different than what's happening in the western world and it certainly has ramifications in the western world. So I appreciate you bringing that to bear and keep being vocal about that because these are things that we need to learn. And this is also very likely made you an expert on OT security because there is a heavy emphasis on operational technology in the Middle East because they are such a manufacturing of certainly of pipelines and petroleum.

Chris Kubecka: Absolutely. As well as trying to diversify into things like aviation, tourism and high tech. And that calls for a lot of automation.

Mitch Mayne: Yes. And so in many ways they may be doing different things and maybe actually even ahead of us to some degree. Let's talk about OT versus IT. I know that's a bit of a confusing area for folks and give me your two minute primer on how those two things are different. Information technology and operational technology.

Chris Kubecka: Well, you can think of IT information technology as a way that data moves, whether you're getting information or sending things back and forth. Now with operational technology, it involves a lot more automation and actually using technology to move things. So if you want to manufacture a widget, typically the data will move and it will tell certain machinery to do certain things to make that widget. And because you don't want to be doing it basically by hand, you incorporate automation into that.

Mitch Mayne: So is it safe to say then that using Mitch's sixth grade level understanding that information technology has to do with data and operational technology has to do with goods and services, so physical things?

Chris Kubecka: Yes, very much so.

Mitch Mayne: All right. So I know that operational technology is fraught with a lot of challenges. I've done some research in this stuff. It's some of the manufacturers of OT technology are decades old, some of them are not in business any longer. So securing that infrastructure is fraught with a lot of problems. What factors combined to make OT so insecure?

Chris Kubecka: Well, there's been a lot of push to put more IT infrastructure into OT environments. So if you want to increase data collection on how many widgets are being made and being made successfully and you want to get that up to sales people, marketing and management, you might add in an IT switch or to segment a network between business and operational technology, you will add in an IT firewall. And the problem lies here where OT technology is built to last for a long time. I mean, we still have OT satellites orbiting the earth that are over 50 years old and they're typically much more expensive. So imagine buying a whole kit of machinery that's supposed to last at least 10 years, if not, could last for 30 years. And then you put in IT equipment and IT programs that are typically expected to be replaced every three to five years. And you merge that. You also incorporate IT vulnerabilities into the OT environment because OT has to be extremely interoperable. Think of it as a metal puzzle that once put together is absolutely smooth and you can't see the lines versus IT, which even many IT protocols have all this error correction. There's no such thing in the OT environment. Everything has to work very, very specifically.

Mitch Mayne: So once upon a time, most OT technology was not connected to information technology or IT, but that is changing, which is introducing a lot of the security issues, correct?

Chris Kubecka: Absolutely.

Mitch Mayne: So let's talk specifically about some of the events that have happened over the last couple of months. OT technology has, I call it simmering on the back burner for some time. Then Colonial Pipeline hit in the United States late in 2021, and it kind of pushed all of this front and center to the headlines, but that attack was limited to the IT domain because their security teams took action to contain it. At the same time, we've also seen a bunch of very blatant attacks on critical infrastructure. I'm thinking of the Oldsmar Florida water system attack, a similar attack in Israel, and then we had the October attack on the Iranian gas supply. Now these are just a handful that I know about, I'm sure that there are a lot more. None of these have resulted in human harm, but the pipeline and fuel supply attacks certainly disrupted life and markets. Do you have any insight into how many close calls we're actually seeing today? Because this is just a handful and I'm sure that there's stuff happening that's not rising to the level of media attention.

Chris Kubecka: Well, yes. There was an attack that was divulged during a panel I was moderating in Dubai back in May by Saudi Aramco, that they had halted a direct attack against their critical infrastructure, which had the goal of actually killing thousands of people. This is one of the dangers or risks of operational technology is when it's disrupted, when it is directly attacked, it has a much bigger impact than say an IT attack where your email might be down, where Twitter might be down, whatever, or a delay of messages. And OT technology, you have to realize it involves safety of people, safety of life and limb. And when we also discuss even things that were close calls when the Colonial Pipeline occurred, the disruption and also panic actually led to some people dying from people unfortunately filling up plastic bags with gasoline and then whoops, someone was smoking nearby to disruptions in some logistics and emergency services. And unfortunately that's what happens this much bigger domino effect than not being able to access Facebook.

Mitch Mayne: Well, let's talk a little bit more about that. So I'm thinking of the water treatment plant attacks and because that attempted to change the levels of, this is going to be a little chemically, I'm going to put on my doctor science hat here, of sodium hydroxide that was being added to the process drinking water, and at low levels it removes heavy metals, but at high levels it's fatal or it causes severe burns when it comes in contact with humans. So Florida, we managed to escape that one and no poison water reached the public. Same thing with Israel. Thinking of Colonial, you mentioned a couple of things. What was the Hollywood outcome that we may have escaped if that had actually gone into the operational technology environment?

Chris Kubecka: If it had actually carried through, if we take a look at the water systems in the United States, it's kind of unique for the fact that it's one of two countries, the UK is another one, that still has lead pipe infrastructure. And if you change the chemical balance of what's going into the water system, like you said, it can remove heavy metals, but it can also start stripping those metals, putting them directly into the water system, which also can mean lead also turn water into acid, which isn't I'm sure a pleasant experience. So imagine out of the tap filling a baby bottle and mixing up formula and heating that up, what that could do much less to anyone who just wants to drink water. It can also just production. So to produce certain types of materials, you have to have pretty clean water because they're dealing with different types of metals. So again, changing the chemical composition can also shut down production, especially in the automobile industry.

Mitch Mayne: Well, so I want to ask you a little bit about what you suspect is motivation behind these because these are sounding a lot less like extortion and a lot more like terrorism, and maybe the two are blended. I know that in the case of the Colonial attack, we have Revel demanding millions of dollars in Bitcoin in order to release the data. But what is the motivation behind these kinds of attacks? Is it just kind of a mixed bag of both extortion and terrorism?

Chris Kubecka: Well, it can be a mixed bag of extortion and terrorism, especially if the group that is trying to extort money is going to give it or use it in some sort of terrorist activity or if it's a sanctioned government or if it's some sort of rogue group that is doing all sorts of batty, batty things and will use it for weapons. So this is the reality of the situation. But I do agree with you that in some cases also it just seems to be pure cyber terrorism.

Mitch Mayne: That does seem to be the case. Thinking about the Florida attack and specifically we don't know a whole lot of information about that. Many of the details have been kept private, but there have been links to Iran and other nation states for similar types of attacks who have not actually demanded a ransom for the attacks, but they've been discovered before any sort of information could come out from the terrorist group. Are we thinking that this is going to be a blended model of attacks that we are going to be seeing more of?

Chris Kubecka: Well, I think so. I mean, it used to be in the past in order to spread terror, you had to send people to the area, handle the logistics for arms, for bombs and explosive materials, and now you can just do it with the press of a button from anywhere in the world. And it's much harder to detect the buildup to these types of techs, but at the same time, instead of affecting a few city blocks, you are now affecting a region and scaring the bejesus out of them because if they can't drink water, that also has a psychological effect.

Mitch Mayne: It does have a psychological effect. I agree with that. How should we be thinking about OT security that we're not considering today? Just from a US standpoint, what do you think is the most vulnerable critical infrastructure sector?

Chris Kubecka: Well, I think one of the ways that we should be thinking about OT security is, and there's probably some lawyers listening, take a lot of the lawyers out of the equation. This is much more important to human life and safety than worrying about, " Oh, will somebody find out? Will we be liable?" Turn that around and start thinking about if you don't share this information with, for instance, the UK government and you don't have a robust and tested plan in case this happens because it will happen, breaches happen. That's why there's such a thing as cyber insurance. We have car insurance, we have house insurance, we have cyber insurance because things happen. But all too often, even though there might be public and private data sharing agreements, the lawyers, unfortunately not all, but some get involved and are like, " No, we can't do that. We can't tell them everything." And it delays containing the incident and it can lead to real physical harm.

Mitch Mayne: I agree with that statement. And it's not just our lawyer friends who tend to throw up roadblocks and that we also have folks who are just concerned about PR, which is another thing that I think should take a backseat to public safety and disrupted markets. But that's just Mitch's two cents. I want to talk a little bit about the Biden Administration's executive order, and I shouldn't say talk about that in a minute because that is a more than a minute long conversation. That order is sure to impact operational technology, and in fact that part has already begun with plans to impose cybersecurity mandates on railroad and rail transit. If you recall back a few months ago when those announcements about rail and rail transit were made, there was a response from the transit industry with one leader specifically saying, I'm going to get this quote wrong, but to the effect of, this industry does not need the heavy hand of government in order to follow cybersecurity safeguards. What's your perspective on that response?

Chris Kubecka: I would have to respectfully disagree. When we're talking about logistics and railroads, the majority of cargo in the United States is run by rail, and there's already been a longstanding problem with how to handle hazardous material spills in the middle of nowhere where there might only be a volunteer fire department that does not have the necessary tools to be able to deal with a derailment of these types of materials. Many years ago when I first got out of the military, I did disaster recovery for some of these municipalities involving hazardous materials and rail crashes and derailments. Now, if you can do the same type of thing, but again with a computer and switch tracks leading to derailments, and you already have the existing problem of what to do if there's a spill, this is a problem. I encourage our listeners to look up videos of runaway trains because they already have a physical security issue where you can access some of the yards and turn on trains. These switches can be in far flung places where you can physically tap into them and change them. And because they're in these far flung places, it's difficult for the physical security to be implemented. And lastly, one of the scenarios that we ran in the EU native cyber warfare exercises a few years ago was concerning the London Underground, which is a rail system. And in the scenario, because I'll just say signaling systems can be up to 40 years old, they're hard to replace and keep them interoperable. What we did in the scenario was during the rush hour in central London made the trains smash into each other, killing tens of thousands of people. And that was a very realistic scenario that I set up because I used to lecture for GCHQs centers for protection of national infrastructure. And one of our customers, so to speak, was the London Underground and Overground. So these are very realistic things and if the UK, the EU and NATO have been starting to take this matter seriously years ago, it's about time the US, which is more vulnerable, actually does something about it. We need to be leaders in this field, not followers.

Mitch Mayne: Well, I actually had the same reaction to when I read the response from the rail industry. I was quite surprised to see the adamant resistance to any sort of oversight and impact to the rail system. I was surprised. Let's focus a little bit more on the Biden Administration's executive order. What do you think we're going to see coming out of that from operational technology? And is it actually going to help us be more secure?

Chris Kubecka: Well, it has potential, and I say it has potential because in writing it looks very good. In reality, they would also have to set up basically the back office port of cyber security to support the new policy. So hiring more cyber cybersecurity professionals, beefing up CSA, beefing up US cert, et cetera. And implementing that new department that they want to start to handle some of these things while also bringing the FBI into the modern world. The FBI still has kind of a small cyber team in comparison to financial crimes, and we've seen, especially with the pandemic, that physical real world crimes have actually decreased, but digital crimes have increased. So in order to successfully implement it, all of that support function has to be there.

Mitch Mayne: What do you think is our ideal state then for operational technology security and more importantly, do you think we're ever really going to get there?

Chris Kubecka: All right. I'm going to say a dirty word, regulation.

Mitch Mayne: Dun, dun, dun.

Chris Kubecka: Right?

Mitch Mayne: Yeah.

Chris Kubecka: Regulation comes into play a lot with safety issues. I was doing a podcast recently with National Blast, keenan Skelly, and she stressed this point where we brought in regulation with automobiles because people were dying too often. And so we have these things called seat belts. But at the same time, I also like, because I live in the Netherlands, the Dutch approach as well, when there are regulations put in place by a Dutch government in order to enable them, they also earmark funds to actually pay for things to be implemented due to those regulations and they're sent to the companies themselves. So it's a no brainer to go, " Hey, we don't have to wait to do this or try to do it with the lowest bidder, whatever," because that never works. We actually have the funds available to implement the regulations. So it's not going to bite. We're not going to lay off people, we're not going to do it in such a terribly ad hoc way to try to squeeze and scrimp and save money. We're actually going to do it the right way. So the government supports the regulation by actually paying for the regulation.

Mitch Mayne: Oh it's the magic marriage of regulation plus funding.

Chris Kubecka: Yes. Yes.

Mitch Mayne: And to the question of will we ever get there, your guess may be as good as mine given what we go through, it seems unendingly in the US political system around budgets. I want to ask you to tell me a little personal story though, because I know last fall or just this fall, you had a really interesting experience. I believe it was coming out of Iran. Do you want to share what happened? Because I just think that's just a interesting little vignette.

Chris Kubecka: Well, about four years ago, I got an interesting message on LinkedIn. It's amazing how that platform's used nowadays. And it looked like a very vanilla request asking about doing an in person hands on offensive security course. And at first I was like, yeah, I can give you a quote, whatever, whatever. But then the conversation started taking a turn. It turned out that it was from the big Iranian telecom, which is owned by the Iranian government, obviously I got suspicious, started writing down names, recording conversations, et cetera. And some of their requests were information about Saudi Aramco's infrastructure. And finally they flat out asked me, they wanted me to come in country, they would pay me a hundred thousand Euro a month to do so, put me on a VVIP tour for photo opportunities with various Iranian generals and to teach them how to hack critical infrastructure with a focus on nuclear facilities.

Mitch Mayne: Oh.

Chris Kubecka: Yeah, fun stuff, right? So I alerted the FBI and although they took a bit of time to come back to me, they're like, " Yeah, yeah, this is bad. We now actually fear for your safety. And there's been assassinations in the Netherlands where you live by the Iranian government, don't contact them again, tell us if they contact you again." And when I broke contact some of my friends from various European certs and the Dutch government alerted me that pictures of my house had been taken and put on religious extremist websites labeling me as an enemy to Islam. So those were luckily taken down and I thought everything was over so I could tell the story. So an article breaks this year in January, and I will say I was a bit cheeky. I explained the story as well as to take revenge. I said, " Revenge is best served over IoT." I had taken advantage of this recent law that had come into place in Iran, where all mixed gender facilities, like restaurants, entertainment places, had to have IoT cameras that went back to the religious portion of the police to make sure ladies didn't take their hijab off or there weren't bachelors sitting in the family section because things are segregated like that much of the Middle East. And of course when you're dealing with over 10,000 IoT cameras going to a central location, how much security and how strong is that password, if there is one, is in existence? And it turns out there wasn't, I could remotely access these cameras, I could adjust the resolution. Some of them had voice. And so I handed that over to some friends in the US government and the European government to do with it as they would and will. When the story came out shortly thereafter, the person who was trying to recruit me sent me some very angry messages, which I asked a few peers because I didn't want to freak out too much. So you ask people like, " Do you think this is threatening?" And it turns out they thought it was a credible threats against me. So my neighbors and the Netherlands suddenly found out what I did for a living because the police were called out to address the situation they had to talk to all of my neighbors, told them to call the equivalent of 911, not the non- emergency number, if anything was unusual, they told me get out of town. The terrorism police and the Netherlands were involved. Then when I went to the UK, Scotland Yard got involved, my next trip was the US. So Secret Service got involved. I ended up in a White House intelligence report. The funniest part about it, because things happen and I like revenge, is one of my good friends will just say, a person who works with the police used the phone number that the angry messages were sent from, told me one of the domains which had been registered with that phone number using that domain, went back and saw there were over a hundred domains, one of which was some fake Saudi Aramco domains and also a bunch of fake news set up by the Iranian government propaganda news websites, which I don't know what happened. I mean, I just briefly remember something, FBI took down a bunch of sites related to that. Basically the person gave up an entire operation by being angry with me.

Mitch Mayne: That is a hair raising tale, Chris. That is absolutely amazing. And from your own personal perspective, of course, I want you to be careful because you are not only brilliant, but I just think you're awesome. The other part of this though too is it really drives home the point that this stuff is serious business to a lot of our nation state's actors. Getting into operational technology is a well run business. It is not some singular actor in a hoodie, but involves many, many organizations and is deep into a lot of our nation state organization administrations. So thank you for doing what you do and by all means, stay safe. You can come stay here if you want. Nobody knows where I live. I just moved again, so.

Chris Kubecka: Yay.

Mitch Mayne: We're right on the water. That's all I'll say. All right, so I'm going to ask you another spooky question, and I know the answer to this one I think, but I'm going to let you go there anyway. What keeps you awake at night? I mean, that story that you just told is probably going to be first and foremost, but in general, what does keep you awake at night when it comes to OT?

Chris Kubecka: Well, I think it comes from my passion with space, but that's one of the things that does keep me awake at night. It was only recently, about two, two and a half years ago that the FCC mandated that US new space IoT actually had to use a basic form of encryption. That to me was mind blowing because we rely so much on space. Think about the last time you pulled out a paper map and actually charted things. I remember when I was a kid, my grandparents would get these flip book maps from AAA when we had to drive a long distance with the route highlighted.

Mitch Mayne: I remember those.

Chris Kubecka: Right? We don't have to do that anymore. We pull out our phone, beep, beep, beep, beep, done, right? Perfect route. It'll even update us if there's too much traffic and to change a route. The aviation industry relies on it, the maritime industry relies on it. We can also see all sorts of things going on if you're trying to see if there's a big fire and where to send resources. That type of stuff can be picked up. Our communications to use credit cards, and this has happened before when we've had various, not super dangerous solar storms, but payment systems have been knocked out because of interference, and yet we rely so much on this. But there is so little security when it comes to it. I was asked to be quoted for an article in the register, I think it was back in September with the title of, In Space Cybersecurity Professionals Can't Hear You Scream, kind of a blunt article. And also listed a PDF from the inspector general on unfortunately how poor the cybersecurity was in NASA. So the last three years they've suffered over 6, 000 notable attacks. Everything from insiders mining bitcoins on super computers, to not classifying critical operational technology that people's lives depend on as actually critical because they didn't want to do the paperwork.

Mitch Mayne: Oh my goodness, that will now keep me awake at night. The one thing that I did want to ask you about, so it's like when people think about space, they think about the satellites and of course the missile defense system comes into play. In order for us to actually patch that stuff, we'd actually have to fly up there. Is that correct?

Chris Kubecka: Yeah, or just send new stuff up and hopefully this is another thing that worries me is, it was also only recently required that the stuff you put up in space, if it degrades or something goes wrong, it should be able to basically enter what's called degradation orbit and then land in the middle of the South Pacific so it doesn't hurt anyone. That's also only been a recent requirement instead of the other way. The bad things that can happen is they can actually just smash into other space apparatus, take out critical things, cause even more space debris or land in someone's house.

Mitch Mayne: Yeah, that's an equally distasteful outcome. I'm definitely going to be staying awake at night and thinking about that. Space is something that I am enthralled by as a techy nerd, but I didn't think about the space garbage and the danger of the space garbage. Yeah. So let's talk about something a little more optimistic. We have a good horror story from you on what happened with Iran in recent past. We have a second one with all of the attempted hacks of water systems and pipelines and a third one about space. So let's talk about something a little optimistic. Given all of that, what brings you down off of the ledge?

Chris Kubecka: Well, I think one of the things that brings me off the ledge is actually looking towards the Middle East. They pointed about two years ago now, a minister of artificial intelligence. They have a minister of advanced technology as well as a minister of information technology. And they're trying to lead the way in embracing high tech by saying, this is our future. We need to streamline our healthcare. UAE was the first country to put up on GitHub, different types of machine learning that you could use to look at CAT scans to see if someone had COVID before we had COVID tests. And that was freely available. They know that digitizing a lot of their paperwork and so forth will cut down on the bureaucracy and also benefit people of all walks of life. Because right now I've heard the horror stories, I haven't had to go for a long time, but the DMV, giving up your entire day to do something that should be able to be done online and giving people back time, improving healthcare, improving technology and embracing it. They have all sorts of programs, of course their university is nothing, to get their population up and running with things like machine learning, things like embracing and looking at quantum communications and quantum computing. And also at the same time they are incorporating high tech into their national policy. So it's very promising. And again, I think that the US should actually be leading that as in being the leaders not trying to play catch up. So that's one of the things that gives me a lot of optimism is looking to the Gulf region.

Mitch Mayne: That's an interesting perspective to have and it sounds like we could learn a few things from our friends over in the Middle East. And Chris, I want to say thank you for joining us today. You've given us a lot to think about and raise the hair on the back of our necks in a good way. One last question that I didn't get to is we have a section of the general public and even into the threat intelligence and the incident responder community who thinks that the OT security threat might be a little more hype than fact. What would you say to that perspective?

Chris Kubecka: Well, I would say to that perspective, someone who has actually handled four or five nuclear cyber incidents, it is actually less hyped in the media. And if it was actually told the way it was, the general public would be scared more of that than my space story.

Mitch Mayne: Well also not optimistic, but thank you Chris. That's good perspective to have and also this being in the industry myself, I also see a good deal of that. And it's amazing to me how naive the perspective is that it's just simply click bait when a story like this run, and it indeed may encourage clicks, but I would drop the word bait. Chris, thank you again for your time today. I very, very much appreciate you taking the time out of your schedule to join me and to join our listeners. Any final comments before we wrap?

Chris Kubecka: I do have one final comment. I think one of the ways that people like myself, yourself can help is about 80% of critical infrastructure cybersecurity issues are actually reported by ethical hackers. Yet there are a lot of challenges to do that and a lot of risk because the legal code in the United States doesn't quite allow yet for ethical hackers. But I do think we need to start looking at ethical hackers more as hacker responders trying to halt things before they get big. If they see your door open, they should be able to tell the police or the powers that be, hey, somebody left their door open, before a criminal gets in. And we need to recognize that with the skill shortage in general cybersecurity across the board and around the world, that people who are trying to do good and tell you, hey, your technology is not so great as in security, please don't put us in jail. And we like stickers. The Dutch government, if you find something in their government, they actually will give you a t- shirt that says, " I hacked the Dutch government, and all I got was this lousy t- shirt."

Mitch Mayne: Awesome.

Chris Kubecka: Right. And that's all we need. So be kind to us hacker responders. And also to close, it's always a pleasure talking to you.

Mitch Mayne: Well, likewise. Likewise. Thank you, Chris.

Chris Kubecka: Thank you so much.

Mitch Mayne: A special thanks to our guest, Chris Kubecka, for her time making today's episode. If you want to hear more stories like this, make sure to subscribe to Into the Breach on Apple Podcasts, Google Podcasts, and Spotify. You've been listening to Into the Breach an IBM production. This episode was produced by Zach Ortega and Clara Shannon. Our music was composed by Jordan Wallace, with audio production by Kirin Banerjee. Thanks for venturing Into the Breach.