Securing the Energy Grid from Cyber Threats with Xage Security

Cody Simms (00:00):

Today on Inevitable. Our guest is Roman Arutyunov, Co-founder and SVP of Products at Xage Security, and our topic is the intersection of cybersecurity and our energy systems. Xage Security is a series B stage startup that seeks to protect energy and other critical infrastructure from cyber threats. They've raised money from major energy companies including Chevron Technology Ventures and Aramco, as well as venture investors including Piva Capital, Valor Equity Partners, and Overture. I don't know much about cybersecurity and I was interested to learn from Roman about where the threats in our infrastructure are and what motivations bad actors might have in exploiting them. I was also interested to hear about how these threat vectors are changing as our energy systems increasingly become distributed and electrified and as AI grows up around us. But before we dive in... from MCJ, I'm Cody Simms and this is Inevitable. Climate change is inevitable. It's already here, but so are the solutions shaping our future. Join us every week to learn from experts and entrepreneurs about the transition of energy and industry. Roman, welcome to the show.

Roman Arutyunov (01:30):

Thank you, Cody. Thanks for having me.

Cody Simms (01:32):

Well, this is a topic we really haven't covered on this show very much at all, but so important, which is one of cybersecurity and our energy systems. I know energy isn't your whole focus at Xage Security, but it's certainly an area that you do have a significant business in. So excited to have you on. You were referred to us by multiple people, including our friend, Shomik Dutta at Overture, who said, yeah, if you want to talk about this topic, you got to talk to Roman. That's a ringing endorsement. Welcome to the conversation.

Roman Arutyunov (02:05):

Thank you, Cody. It's exciting times for the intersection of energy and cyber for sure.

Cody Simms (02:11):

Why don't we start with a very high level description of what is Xage Security and then we're going to spend some time unpacking cybersecurity at the highest of levels and then take it from there. So what is Xage Security?

Roman Arutyunov (02:24):

Really, we found Xage Security to help organizations protect their critical infrastructure. This is the hardest to protect type of asset. Organizations today are struggling with enabling access so that work can be performed both by people as well as applications and systems, but at the same time are worried about their core assets, the assets that run the critical infrastructure and they need to protect them. So Xage really was founded to solve some of these hardest problems, which is the critical infrastructure access and protection. What we do uniquely is we really focus on critical infrastructure sector like energy, utilities, manufacturing, defense as well.

Cody Simms (03:12):

You've got a ton of logos all over your website of players in the energy space from the US DOE and NREL to large energy producers like Saudi Aramco, Patronus, pipeline companies like Kinder Morgan. You're clearly working at this nexus of energy and infrastructure companies. Let's start with a little bit of cybersecurity 101. What are some of the key terms that I and we should know about when it comes to protecting critical assets and what are things that these companies are feeling most vulnerable about when they reach out to you?

Roman Arutyunov (03:50):

I've been in this space for quite some time now, and I would say about 10, 15 years ago, the mentality in the energy companies was no one's really going to want to hack a utility. What are they going to get from it? That was a false sense of security that radically changed over the years, especially in the last five years. There is an increasing number of attacks and factors, 60 plus attacks per day on energy infrastructure alone. There are a couple motivations here. One primary motivation is ransomware, so where malicious actors are going after the energy infrastructure to extract essentially financial gain for themselves, and that's dramatically on the rise. The other big aspect though is attacks from nation states and those are very hard to protect against and they are very sophisticated launched by nation states. They may be in the environment for a very long time and organizations are obviously on a hook to protect against those as well.

Cody Simms (04:58):

Ransomware is obviously companies getting into a system, taking it over and basically saying you can have it back for some amount of reward for financial gain for the nation state attacks. Does it tend to be looking for IP theft? Does it tend to be focused on sabotage? Is it purely espionage and leverage? Do you have a sense of the rationale or reasons why these might be occurring?

Roman Arutyunov (05:24):

Yeah, it depends on the nation, but it's all of the above. The big component there is just to extend the control, make sure that you have the controls. The nation states have controls and the critical infrastructure of other nations and US critical infrastructure, so then when they need it, they can be leveraged.

Cody Simms (05:45):

Now, one of the most infamous versions of that that I think has come to light in the last year or so, actually it's not in the energy sector per se, but is in the telecom sector. The whole salt typhoon hack that I believe was Chinese actors coming into the US telecom system that people have said, is the single largest cyber attack known in the history of the world or something crazy like that. Can you share a little bit about that and parallels that that might play to the types of attacks that our energy infrastructure is trying to prevent?

Roman Arutyunov (06:15):

We seem to be setting records with every new major attack or every major new discovery of an attack. There have been similar scope attacks in the energy sector as well. There's nation states that have penetrated our energy sector through supply chains, through various third party connections and have been living off the land essentially within the energy networks. With the salt typhoon attack, you had the discovery of the Chinese state actors being in our telecom infrastructure. The infrastructure is pretty old. It's came to light Similarly in the energy space though we have infrastructure that's decades old and very hard to protect and easy for nation states to penetrate and get in there, live off the land and spread as needed, that becomes very hard to detect as well.

Cody Simms (07:10):

I've read a bit on your website and some of the writing you've done about the intersection of operational technology or OT and information technology or IT and in particular these nexus points where these two meet is often where you have extreme vulnerabilities because you have technologies of very different age and vintages trying to interface with one another. Particularly with this salt typhoon attack that we referenced. It was in that nexus as well where some of the vulnerabilities look like they may have come in. Can you talk about these two terms and what we should know about them? Again, just sort of a little bit of cybersecurity 1 0 1 for all of us.

Roman Arutyunov (07:50):

When you think of IT, IT is really the traditional enterprise infrastructure information technology infrastructure. The goals in securing that infrastructure really tend to center around protecting the information databases, the data that's being generated, securing and protecting access to it, and that data at the end of the day is driving business decisions. It is core intellectual property of companies and needs to be protected rightly so.

Cody Simms (08:21):

This would be your modern enterprise SaaS level software layers that users of these systems are logging into and interacting with. Would that be right?

Roman Arutyunov (08:32):

That's right. When it comes to that, think of things like software as a service applications. Think about your enterprise resource management systems, your HR systems, even your employee endpoint laptops and works and the software on those. There be intellectual that's on that as well or data that needs to be secured.

Cody Simms (08:55):

And then what is OT? Operational technology?

Roman Arutyunov (08:58):

When it comes to ot, it's quite different. OT is driven by assets like sensors, meters control systems. These assets are now digital and they are essentially also gathering data about the state of the energy system and processing that data, making decisions and taking action in a highly automated fashion

Cody Simms (09:25):

Often have been running for 20 years, 30 years. These are windows NT systems or even older in many cases that are just cranking?

Roman Arutyunov (09:35):

Yeah, they're just cranking their automated systems. A portion of them are the operating systems we're familiar with like Windows NT at least, or XP or Windows in general, but a majority of them are embedded systems. They are controllers. Their software is proprietary, lives inside and accessible and many times very hard to patch or update. These are the machines that are driving the industry. They are balancing the grid. They are helping to deliver power. They're keeping the lights on the factories running these types of machines. There's oftentimes some human interaction with them, but they're oftentimes just very highly automated. They've been there for a very long time and their goal is to make sure that their specific operation keeps running if it doesn't, oftentimes the issue is not so much as propriety data loss, but more about bigger issues like environmental damage, fires, blackouts throughout the whole territory, life and safety issues as well that arise from that, so the stakes are a lot higher.

Cody Simms (10:48):

If your sensors that are detecting some kind of heat or thermal anomaly are hacked and rendered inoperable, then obviously the safety of your plant becomes hugely at risk.

Roman Arutyunov (11:00):

That's right, and unfortunately these systems are pretty easy to take advantage of and to hack. Essentially, if you are able to overwrite or reconfigure a controller that's sitting out there for a critical process, it will not take a safety action when it's needed and instead you've configured a higher threshold for it, so you may have a widespread damage or a fire before it even takes action.

Cody Simms (11:29):

Now, I'm guessing a lot of these systems were not originally built considering internet connectivity in mind. They were built as local on-prem software that runs that you need to walk into the plant or the factory or whatever and be on site to pull the data off of them, but today we're retrofitting a lot of them with remote access control and things like that. Is that where this intersection of OT and IT comes together and creates issues?

Roman Arutyunov (12:03):

Absolutely, so that's exactly what's going on. There's digital transformation that's taken effect in our energy sector where we want to drive business optimization in the way that we deliver energy, the way that we balance energy consumption and supplies for that, you need to connect them to business systems, business applications as well as people accessing these assets remotely. We're also working in a much bigger scope with our partner companies and service providers. Any company may be working with hundreds of partners in the supply chain to deliver that energy or deliver that resource that they're producing and they all need access as well, and their systems also do need access to this data, so now we have this intersection between enterprise systems and IT and OT. People use this word convergence in the sense that is convergence because the collaborating to deliver the ultimate goal, but security practices is quite different in IT versus OT, it's protecting operational systems. The techniques are very different compared to protecting enterprise systems like SaaS applications.

Cody Simms (13:23):

Where does age come in? I see on your website you use this phrase zero trust security. What does that mean?

Roman Arutyunov (13:29):

What Xage really created is a way to use zero trust principles, which means that there is no implicit trust. Any type of an asset or interaction with an asset needs to be explicitly authenticated and authorized before it can take place. Traditionally, the type of architectures that have been in place assume trust if you're inside of the operations network, if you're on site, if you walked into a substation or you accessed a substation remotely, you're trusted. You can access everything.

Cody Simms (14:05):

If someone looked at your ID and said, you're the right person, then you have access to do anything, whereas going forward, you can't necessarily assume that because you're not being physically validated with your face on-prem. You're logging in through some remote IT application.

Roman Arutyunov (14:23):

Yes, exactly, and people used to say that if you walked into a power station or power plant, if you accessed the power plant, it's too late. You automatically have access to really everything, and today those architectures are falling short in a big way. With us. everything needs to be verified, everything needs to be authorized for every single interaction, whether it's from human or from another application on machine. We control those very tightly.

Cody Simms (14:52):

Including, I'm guessing, resetting all the passwords from a username of admin and a password of password.

Roman Arutyunov (14:58):

Absolutely. It's still not uncommon to find that though there is big initiative for energy companies to get rid of shared credentials or default credentials on these types of assets, but they have a real challenge and that challenge is unlike IT systems, operational systems are highly distributed and they're becoming even more distributed in the energy space with renewable energy coming in. You have renewable assets really all over the place and tying them back to some sort of a central control is just not an option, so you need a really highly distributed approach to be able to manage those credentials and manage that access where the access is and where the assets are.

Cody Simms (15:45):

Let's break down some of the major customer types within energy that you work with and how their challenges differ as we contemplate a world that is today still primarily powered by oil and gas and is in the process of transitioning to one that's powered by renewables. How does the vector of attack surface change as that transition happens today? I know you do support a number of companies in oil and gas managing their pipelines, managing their refinery assets. How does that change to a world of solar farms and a world of distributed wind energy and battery storage resources over the next decade or two, just in terms of different types of cybersecurity challenges that those two customer types deal with?

Roman Arutyunov (16:34):

The similarities is that the energy, oil and gas infrastructure as well as the utility energy infrastructure is both are very highly distributed, both are now highly connected and driven by business applications and now starting to be driven by AI enabled applications. The other similarity is they all have a mixture of assets. Some of them are new, some of them are quite legacy. They've been there for a while. An approach to cybersecurity is that you got to protect them all. You got to find a way to protect assets across highly distributed spaces no matter how old they are, because attackers will find the weakest link and go from there. The differences are interestingly enough, and specifically in the energy space is that with the introduction of renewable energy resources, the dynamics are quite different because all of a sudden a utility may not actually own those resources. They may be owned by somebody else. In fact, there's a different owner, there's a different operator, there's a different service company.

Yin Lu (17:44):

Hey everyone, I'm Yin a partner at MCJ here to take a quick minute to tell you about the MCJ Collective membership. Globally startups are rewriting industries to be cleaner, more profitable and more secure, and at MCJ, we recognize that a rapidly changing business landscape requires a workforce that can adapt. MCJ Collective is a vetted member network for tech and industry leaders who are building, working for or advising on solutions that can address the transition of energy and industry. MCJ Collective connects members with one another with MCJ's portfolio and our broader network. We do this through a powerful member hub, timely introductions, curated events, and a unique talent matchmaking system and opportunities to learn from peers and podcast guests. We started in 2019 and have grown to thousands of members globally. If you want to learn more, head over to mcj.vc and click the membership tab at the top. Thanks and enjoy the rest of the show.

Cody Simms (18:46):

The whole evolution of the power purchase agreement and virtual power purchase agreement means you're accessing electrons that you don't control and frankly, you may not even know exactly where they're being produced necessarily at any given moment.

Roman Arutyunov (18:59):

That problem is scaling fast. We're not talking about just one site or one wind turbine. We're talking about thousands and thousands of them spread across large territories, hundreds of various companies that are responsible for them. The goal of the utility company is to deliver a reliable service, so they need to be integrating these renewable resources in a way that they can rely upon. That means that they have to rely on the capacity that will be there when asked for it from these renewable sources to balance out the grid. Cybersecurity plays a critical role in that, being able to make sure these resources conform to the right levels of cyber controls and are available when they need it or not taken down by malicious actors even though they don't directly control 'em, but need these requirements to be met nonetheless.

Cody Simms (19:58):

Is there a regulatory regime that is creating standards that are required of on grid energy assets regardless of renewable or not?

Roman Arutyunov (20:09):

There's work to be done there. I mean the energy sector in itself is highly regulated as we all know and has taken cybersecurity seriously for the last couple decades with NERC-CIP and various iterations of that. There's a new iteration of that that's putting in even stricter controls. It is reclassifying some of the assets that were previously did not have to go through these stringent security regulations. They're reclassifying these assets to be required to be secured as well. That now includes renewable energy assets.

Cody Simms (20:47):

One of the things we hear with renewable energies, the regulatory and permitting requirements are causing everything to be deployed much more slowly than we would all like, and yet I'm also hearing from you the criticality of some of these requirements if we want to ensure that what we're deploying is safe and secure.

Roman Arutyunov (21:07):

Exactly. It's a balance. It's sort of a pendulum swing. We swung it the other way for a while where we're building a lot of assets, a lot of distributed resources without strict regulation, and now we're starting to swing the other way where there is lots of good regulation that's coming in, I'm sure it'll balance itself out and start swinging back to building large capacity again. The other big part of that is, as I mentioned and the new iteration of the NERC-CIP is focused on supply chain security. It's not just supply chain in terms of the actual vendors' requirements to meet certain vulnerability and disclosures and patching updates, but it's also how you enforce your security requirements onto third parties that are accessing your systems by requiring them to use secure remote access solutions, multifactor authentication by needing to segment out and provide zero trust access to individual assets. That's all great stuff. That's exactly what we want.

Cody Simms (22:15):

You said earlier as more and more distributed energy resources come on the grid, the utilities have less and less end-to-end control over them, whereas they may operate their own gas peaker plants. They're not operating the wind farms or solar farms that are ultimately supplying power to their grid, but I would also think that the distributed nature of these assets makes them more redundant in a good way, meaning if one goes down, your whole system doesn't go down as opposed to a coal plant or a large centralized power plant that's providing a huge chunk of power to the grid. To what extent are the utilities throwing up their hands and saying, Hey, we have built in security in distribution.

Roman Arutyunov (23:02):

Some of that is true in the sense that you have more optionality and more granularity and more things to fail over to, but when it comes to attacks, there's wide recognition when specifically when it comes to cybersecurity, there's white recognition that attackers will exploit the weakest point and spread from there, so that means that even though you thought that it's okay for them to hack a single wind turbine or wind farm, they have other ways to spread from there. Now you have a chain reaction of events and there's a big recognition in the new NERC-CIP requirements around that as well.

Cody Simms (23:40):

You talked a bit about AI coming into these systems. How does that adoption both help and hurt security? I'll take a crack at my own hypothesis right now, particularly of our operational technology that is old and in many cases not internet connected, I would think that these systems to some extent are insulated from attacks and the more they start getting web-based hooks into them and automation working together with them, it creates openings. I recorded a podcast recently that we just published with the CEO of a company called Line Vision that is doing basically sensing and detection of our transmission lines. He had a quote that he said his doorbell at home is smarter than the average transmission line is because they are just quite literally electrical wires connected and weren't ever built with any kind of monitoring in place, and they're now going in retrofitting those. As they do that, it starts to open up vulnerabilities that these dumb systems maybe didn't have before. That's I guess the bear case for AI coming into the workplace in these areas. The bull case is, I guess it also can increase your ability to detect bad actors and issues.

Roman Arutyunov (24:59):

It's definitely getting a lot easier for attackers, especially with AI leveraging AI tools and the fact that our energy systems are highly connected. A whole connectivity in an energy sector started 20 plus years ago. The energy sector today is one of the most widely inner networked and connected systems in industrial space period. Specifically focusing on AI, how easy it is today to just use gen AI tools that exist and launch a phishing attack. It's extremely easy to do so. In fact, AI generated content oftentimes looks even better than the company's own marketing content. Companies are leveraging AI for their marketing purposes. It's very hard for any normal employee or user to detect a phishing attack versus AI generated phishing attack versus a legitimate company email. That's a real problem, and yet at the same time most attacks are happening because of stolen credentials or stolen accounts. Attackers utilize the VPN connections that exist everywhere to get into the network, find an asset enumerate, find other assets, and then spread laterally and start encrypting data and holding companies to ransom. That's the cookie cutter recipe for 80 plus percent of the attacks out there and now with AI making it a lot easier to launch these. It's a real challenge for the industry.

Cody Simms (26:40):

The current major threat of AI is just the increase in phishing you would expect to see as a result of AI just being better at targeting the right people and writing the right content to get you to reveal some credential or log into some fake website that gives a bad actor access to the system through which they can then tunnel into other things.

Roman Arutyunov (27:02):

Attackers can launch this type of attacks within a couple hours today. It's simple as that. Now, this is why there's also an acceptance that in order to protect against these types of attacks, the training of employees is one thing, but it's also becoming very difficult to even train employees on detecting phishing attacks because they're so real. Now organizations need to really take proactive protection measures assuming that this phishing attacks will happen. The proactive measures are what good security hygiene is, change those credentials often restrict access with zero trust to only the assets that are required for any one user just in time access, adaptive MFA and segmentation. Those are the proactive techniques to protect from these phishing attacks in general.

Cody Simms (28:00):

Read an article recently about IT departments that are increasingly getting clever at fake phishing attacks to their employee base to help employees understand how they can get trapped in these attacks.

Roman Arutyunov (28:12):

They run tests, periodic tests on how well their organizations are doing in terms of that. It's really hard to keep up. It's very easy to stand up in these emails and these phishing attacks look very real. There was a recent attacks also with MFA fatigue for example, where essentially if you bombard a technician or even let's say a manager in the middle of a night with an MFA request, they're likely to wake up and just click accept on their phone, Hey, I need to go back to sleep. I'm going to hit accept, and all of a sudden that malicious actors leverage the fact that you're so tired and fatigued from using MFA to get into the systems. That kind of stuff can be very highly automated with AI as well. Those phone calls, especially the AI voices that are being generated look very, very real. There's a number of AI tools out there that will take, for example, your website and create a podcast around it just like we're doing today, but in a very realistic sounding voice, you won't be able to tell that it's actually AI.

Cody Simms (29:21):

What percentage roughly of successful attacks are socially engineered in some way like hitting a vulnerable human versus through technology cracking your way into a system?

Roman Arutyunov (29:32):

Most of them are, I'm not sure exactly what's the number for social engineering, but I do know that 80% of it is through techniques like stolen credentials that have been exposed on the web, social engineering, phishing attacks, whether it's done by individual actors or automated software majority, like 86% of them is through this type of attack vector. Very low percentage is through actual exploits of a vulnerability on a system. Where organizations really need to focus more on protecting those credentials and that access in the first place versus overly rotating on things like patching vulnerabilities.

Cody Simms (30:20):

So really focused on employee training and testing employee setups for password management and how they react to adverse threats coming their way that they may be unsuspecting about like phishing.

Roman Arutyunov (30:34):

Today, training is one component, but the majority of the focus should be on proactive protection measures to actually ensure that MFAS is required to access any type of an asset. It's still very surprisingly, even in an enterprise, MFA is only at low 70% penetration in operational space. It's 10-20% penetration

Cody Simms (30:59):

MFA for folks who aren't familiar with multifactor authentication.

Roman Arutyunov (31:04):

Multifactor authentication, that's right.

Cody Simms (31:05):

Text message or a Google authenticator like number that you have to enter in after you enter your password.

Roman Arutyunov (31:11):

That's right. You would think that it's used everywhere. It's ubiquitous today, but it's not so requiring that zero trust, security meaning control access. Do not trust anyone, even your own employees to give them access to entire factory or entire power plant only assets. They actually need to do their job. That should be the policy, and then just limiting the attack surface, meaning that most assets don't need to interact with each other. You don't actually need a network for every device to talk to each other in operational space because you only need certain devices to talk to each other to perform that process, but not everything, so limit that and control that access.

Cody Simms (31:59):

Could you maybe elaborate on a few specific real world examples of known attacks that have been publicly disclosed at this point as a way to help us understand how these various factors come together and provide us with some tangible examples of worst case scenarios coming to life?

Roman Arutyunov (32:22):

A good example that I like to give is there was an attack, I think about five years ago, I think it was publicized by Washington Post on the New York Times where we detected that Russian state actors have actually infiltrated the energy grid. It went into great detail describing on how they did it. The learning there was that even though utility had pretty good controls for access with their own employees, the issue was that the state actors leveraged remote access through a contractor or contracting firm, so basically a partner company that this energy grid operator was working with and they didn't have as good of controls in place. Their employees were able to access the energy systems, so that's a big concern.

Cody Simms (33:14):

Was that the SolarWinds attack?

Roman Arutyunov (33:16):

I don't believe it was a SolarWinds. It was another attack. I don't recall the name anymore, but it was highly publicized, but similarly, I mean SolarWinds is another great example. Once they're in and the energy operator is not prepared, they'll be in there for quite some time and they will able to spread across the whole entire infrastructure. The techniques that are used, they're called RATS, so Remote Access Trojans short for RAT, and that RAT may be sitting in there for some time until the state actors needs to exert control. They'll be looking for commands essentially at the right time. Once that command is given, it will inflict the action, which may be to shut down power for some time today. These types of attacks are often used and very easy to set up as well.

Cody Simms (34:10):

Helpful to hear the context of how it comes together. Love to just hear a little bit more on Xage. I think you guys are what a series B stage startup right now and you've raised a few rounds of capital including some strategic energy players involved on the investment side. Maybe share a little bit about how you've capitalized the business and what's next for the company.

Roman Arutyunov (34:33):

We're a series B company and we're growing quite fast. The funding forage is a combination of traditional venture capital as well as strategic investors from the industrial space as well as from the defense. We have investments from Saudi Aramco, we have investments from SAIC, which is a big federal contractor. We had early investments from General Electric as well. These companies are all users of Xage products also as well as strategic investors in the company. It's exciting times I think in the operational cybersecurity in general, but especially in energy. Energy is going through a big transformation with renewables as well as like I mentioned, infrastructure networking and the critical nature of the energy infrastructure period. We're seeing strong growth in the sector become even stronger as they adapt more and more AI technologies themselves to drive their operations. It's good times. The company itself, we're a little over a hundred people now, long ways from just the two of us when we started, so it's been an interesting journey for myself personally in this space and I've spent the last 20 years I would say in cybersecurity and industrial infrastructure myself, so protecting industrial infrastructure is sort of my passion.

Cody Simms (36:00):

It's certainly a fascinating time and one of the trends we didn't even talk about was how with distributed energy resources, more and more companies are bringing power management under their own umbrella as well, and so you're seeing a lot more behind the meter power off-grid power where companies are doing onsite power production in a greater and greater way. We're seeing this in spades with the data center boom right now, and I expect we'll continue to see it with other forms of industry too, which I think speaks even more to just how important managing end-to-end security operations of these assets will become in the world ahead of us.

Roman Arutyunov (36:43):

That's very true. I mean, you sparked a thought for me. If you actually think back just to maybe 15 years ago, utilities didn't even know that power was out in your house. Your meters weren't connected, and there was really no way for them to tell there was no network infrastructure in place, so you actually had to call 'em to let them know about that. Today, we all have smart meters. We have resources behind the meters, not just that we have thermostats, we have power generation and storage facilities. They have very good understanding of what's going on in your house at any given time. That creates also challenges for them because now all of a sudden they went from really no connected devices in the last 15 years to billions of connected devices that they have to now manage and secure as well.

Cody Simms (37:32):

My home with rooftop solar is a power generator and with an EV charger is a gas station. It's all my own home. It wasn't that way five years ago.

Roman Arutyunov (37:42):

There's more to come, so definitely an exciting space.

Cody Simms (37:46):

Roman, thank you so much for your time. Really appreciated learning from you. Good luck as you continue to build Sage, and thanks for helping to keep our assets as secure as possible.

Roman Arutyunov (37:56):

Thank you, Cody, and thanks for having me. Good talking to you.

Cody Simms (37:59):

Inevitable is an MCJ podcast. At MCJ. We back founders driving the transition of energy and industry and solving the inevitable impacts of climate change. If you'd like to learn more about mcj, visit us at mcj.vc and subscribe to our weekly newsletter at newsletter.mcj.vc. Thanks and see you next episode.