Cybersecurity in Critical Industries: Lessons from Medical Devices to Automotive

Episode 21 August 12, 2024 01:10:52
Cybersecurity in Critical Industries: Lessons from Medical Devices to Automotive
PrOTect It All
Cybersecurity in Critical Industries: Lessons from Medical Devices to Automotive

Aug 12 2024 | 01:10:52

/

Hosted By

Aaron Crow

Show Notes

In Episode 21 of "Protect It All," titled "Cybersecurity in Critical Industries: Lessons from Medical Devices to Automotive," host Aaron Crow is joined by experts David Leichner and Shlomi Ashkenazy to explore the multifaceted world of cybersecurity across various critical industries. 

 

The conversation starts with Shlomi sharing a transformative personal experience in London, emphasizing the importance of pursuing one's passions. David follows with a moment of realization about the critical nature of cybersecurity during an eye surgery, underscoring the necessity of protecting people through robust cyber measures.

 

The episode delves deep into how cybersecurity practices are implemented in medical devices, automotive, and industrial manufacturing sectors. David, Shlomi, and Aaron discuss generative AI and its dual potential to enable and defend against cyber threats, drawing parallels to cyber weapons like Stuxnet. The importance of secure design, continuous monitoring, and compliance with ever-evolving regulations are highlighted, particularly in upgrading legacy systems in critical infrastructure.

 

With comprehensive insights into integrating IT and OT cybersecurity measures, the episode provides a compelling call to action for increased awareness and collaborative efforts to bolster defenses. Aaron also extends an invitation for engagement through conferences like Black Hat and Defcon, where practical solutions and innovative strategies are showcased.

 

Tune in to gain a deeper understanding of the critical intersection of cybersecurity in various industries and learn valuable lessons from the experts on safeguarding our digital and physical world.

 

Key Moments: 

 

00:10 Security threats have expanded to 15-year-olds.

08:35 Privacy breaches occur through overlooked device vulnerabilities.

12:14 Power utility leading in cybersecurity due to regulation.

17:06 Smaller companies need to prioritize cybersecurity measures.

26:42 Security strategy requires adapting to different environments.

28:30 FDA emphasizes cybersecurity importance at the H-ISAC conference.

37:43 MIT study simulates cyber attack, uses AI.

40:24 AI can eliminate manual product development processes.

46:16 Cybersecurity brings unknown threats: deterrence or powerful AI.

50:26 Black start plants generate and transmit power.

59:00 Soft skills are crucial for effective communication and trust.

01:00:09 Sent demos to heroes, got a minimal response.

01:06:47 Promoting face-to-face meetings and events globally.

01:10:19 Agreement on conclusion of project.



About the Guests : 

 

David Leichner

 

David has over 25 years of marketing and sales executive management experience garnered from leading tech companies including Cynet, Information Builders, Magic Software, Gilat Satellite Networks, BluePhoenix Solutions, and SQream. At Cybellum, a provider of integrated cybersecurity solutions for leading device manufacturers, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s market penetration.

 

Shlomi Ashkenazy

 

Shlomi is the Head of Brand and Strategy at Cybellum, overseeing product security thought leadership, positioning, and brand activities. A physicist-turned-cybersecurity brand builder, Shlomi spent the years before joining Cybellum as a consultant, working with dozens of founders in the cybersecurity, AI, DevOps, Quantum, and Health Tech industries on building their brand, product marketing, positioning, and messaging. Shlomi also produces and co-hosts "Left to Our Own Devices: The Product Security Podcast" and spearheads multiple business strategy and GTM initiatives at Cybellum.

 

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just OT delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. How's it going, y'all? How's it going? [00:00:21] Speaker B: Really well. [00:00:22] Speaker A: This is. This is a unique one, right? We're kind of doing a double double hitter here. So both of us have podcasts. So we're doing this to share on both of our platforms because conversations like this are important. So it's fun. I don't always do. Normally it's a one on one or even a solo episode. So today, having the three of us, I'm excited about how the conversation goes and what all we dig into. [00:00:44] Speaker C: Same here. [00:00:45] Speaker B: Great to have you on board. Great to be on board. You're going to be a bit schizo today. [00:00:51] Speaker A: That's okay. Well, so the audience that doesn't know me, my name is Aaron Crow. I come from 25 plus years doing cyber security and technology. Half of that time has been spent in the OT space, operational technology, and a lot of that has also been spent on the IT side. So everything from working at, you know, Fortune 100 companies, doing, you know, networking stuff, I was a CTO of a software company, cybersecurity software company. I worked in consulting, you know, at the big four, and I've even owned my own consulting. So I've kind of been all over the map. So my experiences kind of spread the whole gamut. And so I could wear a lot of hats and see it from a lot of different perspectives just because of the experiences that I've had. [00:01:33] Speaker B: Well, Shlomi, can you top that? [00:01:36] Speaker C: I can try. I'm not sure. I'm not sure I can. But I'll let you be the last because you have probably the most interesting story. So I'm Shlomi today, what I'm doing is I'm leading branding and strategy for Cybelom, which is a company in the products cybersecurity space. But I spent the past ten years actually being a consultant, similar to Aaron's, but on the other side of the spectrum, and was more of a business strategy consultant at Deloitte and then more of a branding consultant. So I had the chance to work with quite a few cybersecurity companies and see kind of the arc of cybersecurity develop in the last ten years and as new technologies came in, et cetera. So that was an interesting ride, and that's pretty much it for me. [00:02:26] Speaker B: David Cool so let's go back a few years to pre cyber security. And I was working on network security and operations for a defense contractor putting in the largest fiber optic implementation of its kind in Los Angeles, actually one of the biggest at the time in the United States. And fast forward a few years. [00:02:54] Speaker A: White hair. [00:02:55] Speaker B: Yeah, fast forward a few years. And as Shlomi and Aaron also said, I've been involved in several vendors of cybersecurity solutions, including for endpoints, networks, and most recently Cybelem, where we're doing product security for automotive industry, medical device industry, embedded systems, and basically the things that keep people alive on a daily basis, which is really exciting. [00:03:25] Speaker A: Yeah. You know, we're seeing a lot more in the news, and we're seeing a lot more things come up. I remember again, David, before we called it cybersecurity, you know, I was doing this, and we didn't call it that, but I was still doing cybersecurity type work. It was similar, you know, network segmentation and putting in firewalls and things like that. And the conversations I was having back then, it was like nobody thought, like, it was going to impact me. Like, nobody's going to go after me. Like, who am I? Like, why would they want to attack me? And I think now we're seeing more and more because it doesn't matter. It's opportunity. It's because they can, it's because financial reasons, because of malware and ransomware and all the things that we're seeing in the news. So I think more and more folks are finally starting to see it doesn't matter who you are or how small you are or any of that, you can be a target. It can impact you. So it's not enough to just do nothing anymore. [00:04:22] Speaker B: Sure. And I think one of the amazing things that I've seen through my career is that I started working in security pre Internet, and what's happened. We talk about the expansion of the threat vectors going into all different types of areas, but what about the expansion of the attackers? Right? Where you used to have nation states, you used to have intelligence organizations within various countries who were, let's say, trying to do offensive or maybe defensive by doing offensive types of hacking. And all of a sudden, the capability to hack was in the hands of 15 year olds, in villages, in places where people were making a dollar a month. All of a sudden they said, hey, well, maybe we have a new line of business here, and we can certainly do a lot better than we've been doing in the past. So I think in addition to the expansion of the threat vector because of the way that the Internet is being used. But also communication advancements have given the ability to all kinds of people. And I don't want to take, you know, I don't want to say that 15 year olds are the people that we should be worrying about, but basically, any age, any gender, any, any population have now become potentially the people who are going to try to get into your systems, and that makes it incredibly difficult to protect. [00:05:57] Speaker C: Yeah. Yeah. You know, I had a professor at the university who used to talk about knowledge and the knowledge that, you know, versus the knowledge that you don't know. So it would draw, you know, a huge circle and then say, like, the outer circle is the things that you know, and everything inside is what you don't know. So the bigger the circle, the more you know, but also the more you know that you don't know. So the reason I'm telling that story is that I think because it's late. [00:06:24] Speaker B: In the day here and you want me to get really confused. Right, exactly. [00:06:28] Speaker C: That's exactly my goal. [00:06:30] Speaker B: He's the smart guy, by the way. [00:06:33] Speaker C: Not sure about that. But what my point was is that in terms of breaches, the more time I spent in cybersecurity and with cyber security entrepreneurs, the more I realized that actually, the hacks that we see and the stories that we hear about ransomware, etcetera, are kind of like this outer circle. And inside, there are so many potential cybersecurity incidents that just don't happen thanks to all the innovation that we have today in cybersecurity. And some of them are pretty scary. So, you know, some probably don't happen just because there is no monetary value in them or because no one ever tried to, you know, to do those crazy hacks. But still, I think we should pat ourselves in the back every now and then and just talk about the things that don't happen as well as the things that do happen. So. [00:07:25] Speaker A: Yeah, I mean, that's true. Obviously, there's a lot of things that can happen. And I've seen a vast change, David, like you said, right. It's before kind of, you know, left of bang, and then all the things that have happened after that and how much change has come. Like, again, I remember, you know, working in power plants and these ot environments, and the level of security was, oh, well, we disconnected from corporate or we have a firewall. Like that. Was it like, check, I've done. I'm. I'm done with cybersecurity to now where we have these advanced capabilities. We're doing secure remote access and we're doing network monitoring and we're sending data to a SoC and there's somebody actually looking at the data and saying, hey, is this good? Is this bad? Like, should this be happening? And making decisions actually considering what the things that are going on in the network and in the environment beyond just the operational, because it's easy to look at the operational, the plants running, you know, widgets are coming out the back end and everything seems fine. But we've also seen attacks, Stuxnet and others that can make operators think things are going well when they're actually not. [00:08:35] Speaker C: Yeah, those are probably the scariest ones, the ones that you don't even know happen. And this is, I think, how a lot of the privacy and data breaches happen because, you know, the data is being taken away by the breachers. And you only realize that after the fact sometimes. And I think from our point of view, and David, you can probably add to that. What we found is interesting in the OT context, is that there is a lot of focus on the network side and as you say, on the data exchange and how to safeguard that, but less so on the device side and on the product side, which we see as at least as important as the network side, simply because some of those devices are very old and legacy devices, and they are also potential breach sources in a lot of different ways. When you talk about embedded systems and their complexity, there's so many ways to breach through them. So this is why I think it's always important to look at all of the areas from which an attack could happen and not just take the obvious one or the one that we think is the most prominent. [00:09:56] Speaker B: You know, and I think something else is happening, especially over the last three to four years. We're seeing a lot of governments coming out with new regulations about cybersecurity, whether it's the White House coming out with the omnibus bill and specifically targeting supply chain medical devices, whether it's the recent CRA in Europe. And what to me is very interesting, I've heard different industry figures say that the main reason why they are doing significant cybersecurity, whether it's s bomb software builder materials vulnerability monitoring, compliance in general, is specifically because of the regulations. And in fact, I, when they talk about risk management, they talk about, okay, the risk is not just the risk management of will I be hacked? And what would that do to the consumer if it's a consumer product? But what is the risk that I'm going to get caught by the regulatory agencies, because that's like getting caused by the IR's. You get caught once you're on a list, and they're going to keep coming after you, and their audits are going to be very deep, and the audits are going to be very nasty. So, in fact, one automotive vendor said, we do cost risk analysis on safety in the cybersecurity area. And that's very different to another representative engineer of OEM, who we actually spoke to last week. And she said that there's a very strong convergence between functional safety and cybersecurity. And they're doing the cybersecurity because they want to, because they are concerned, and they don't want their names to be in the headlines the next week as being the company that had, you know, whatever crashes of their cause or whatever it is, you know, due to issues of attacks. And so I think that's also interesting. It's not only the fact that we have to do all of these checks, not only the fact that we have to worry also about the network, also about the firmware and about the endpoints and, you know, have your firewalls in place and everything else, but what is the impetus for doing, you know, putting serious cybersecurity programs into place? [00:12:14] Speaker A: Yeah, I've spent a lot of my career in power utility, and if you look in the United States, there's 17 critical infrastructures that are in our country deemed by the government. And I would argue, and most do, that power utility is the most advanced of those as far as down that path of cybersecurity. And I think you can really tie that back to the regulation. Nurk Siphenhe Nurqcip came out and they really pushed, you know, the requirements. And like you said, David, there's a huge stick of, if you're not compliant, then there are huge fines. And I've seen very, very large fines, millions, tens of millions of dollars put on companies that were out of compliance. So there's, there's a really big thing, and it kind of leads to, you know, cybersecurity is. Is not a, it's not always a way to be more efficient. From a financial perspective, if I bolt on cybersecurity, I'm not necessarily making more widgets more efficiently. It's not lowering my cost. In fact, it's usually adding cost on to my systems. Sometimes it's hard to justify from a business perspective, that risk reward. I'm adding a whole bunch of costs. And how much am I lowering my risk for that reason so in the past, I think that's why a lot of people said, oh, well, I'll just put in a firewall, and that's enough. I'm checking that box. Right. Because that risk reward a, it wasn't necessarily properly considered, I don't believe is they didn't really understand what those risks were. And I think if they really understood what those risks were, then they wouldn't be opting out of or doing the bare minimum in these cybersecurity areas. And I think that that pendulum is swinging because more and more attacks are happening, because more and more regulations are coming out in more and more industries, because we know the other thing that the regulation does is it, it justifies to the board, this is not optional. You have to do this. And if you don't do this, not only to your point, David, not only is there a risk of being attacked, but there's also a risk of getting a fine, like, and that risk is very easy for the CFO to understand, or in all the board, once you put it into money language, it's like, oh, well, obviously we're going to spend a dollar so we don't get fined five. [00:14:37] Speaker B: Right? [00:14:37] Speaker C: Right. Eventually, nothing would put your cybersecurity program in overdrive more than a fine or an attack. Those are like, the two thing sure ways to get there. I remember we talked to some cybersecurity manager from SolarWinds a few months back about the attack, and they now have, I think, at least according to our conversation, that's how it sounds, like one of the best top notch cybersecurity programs in the world, really, because of this wildly publicized attack. So, unfortunately, that's what drives cybersecurity programs more than anything. But I agree with you that I think it's changing. I mean, companies, we see that, for example, in the medical device space, also in the automotive space, companies who are already under specific regulations take it as a must have. And then the question becomes not, why does cybersecurity postpone my releases or postpone my deployments? It's more like, okay, that's the basis we have to comply. Now, how do we innovate quicker with cybersecurity in place? And that's a much better question and a much better framing of that problem, because then cybersecurity becomes kind of a partner to this process. That's where you start seeing, for example, threat modeling. And Tara come in early in the development phase. They want to partner with cybersecurity because they know that will allow them to innovate faster. So I think eventually it's a very healthy progress, definitely. [00:16:19] Speaker B: And I think secure by design, you know how far left you're going to go. And to ensure that as you work your way through the development cycle, everything that you're working with is secure, whether it's coming from the supply chain. And, you know, I recommend, Aaron, if you haven't been to the embedded world show in Nuremberg in Germany. Right. I think they're putting one on actually in North America this year as well. In Germany, they have like five halls of, of small companies, big companies, huge companies that are selling their components. And it could be something for a car, it could be something for a control system in industrial, you know, one of the industrial, one of the 17 industrials, it could be, you know, just like a widget. And when you talk to the smaller and mid sized companies about cybersecurity, you know, if you ask them, you know, do you guys create S bombs for the components that you're selling? They're like, what's an S bomb? And then if you talk to them about cybersecurity, they're like, well, we don't need cybersecurity because we give it to, to a large integrator. And they worry about cybersecurity. Well, those days are changing. And in fact, some of the very large integrators, they've taken the steps of, number one, making sure that the component providers are providing secure components, and number two, that if those companies are what we call cybersecurity poor, if they don't have any knowledge or they have very limited knowledge on how to create these secure components, then they will actually work with them to help them to get to the point where they're able to deliver components that have been checked and whether they've put out s bombs for them or doing vulnerability monitoring or whatever it is, to make sure that even going as far left as these small providers that can be from the US, from Taiwan, from Germany or wherever else, that it's not going to hold up their development process. [00:18:17] Speaker C: Actually, I have a question. Yeah, sorry, go ahead. [00:18:19] Speaker A: No, go ahead, go ahead. [00:18:21] Speaker C: I just had a question for you, actually, Heron, I'm curious, since you have a very unique perspective. [00:18:28] Speaker B: Shlomi is a curious. [00:18:29] Speaker C: When I say the word curious, I say it a lot. But I am curious. You have a very unique perspective because, you know, a lot of these 17 critical infrastructure industries, so do you see the gap between them closing or widening or staying the same? Because we have vastly different industries there in the list of 17. So what do you think? [00:18:55] Speaker A: Yeah, I definitely see there's a huge gap. I think that gap is closing. I think, like I said, power utility is probably further in front. I would say oil and gas and pharmaceuticals are pretty far in the front as well, but for different reasons. Obviously, there's regulations in those as well, but I think those are more. They have more revenue and more finance, you know, more budget to throw at the problem. Whereas, you know, in power utility, a lot of these times, you know, a lot of these environments are not regulated. So they don't have take a step back really quick. In power utility in the United States, many of the states are regulated, meaning I can. I can go get a rate case and actually guarantee, hey, if I'm doing a capital project, I can pass that cost on to the. The ratepayers because it's. It's the cost of doing business. It's no different than, you know, upgrading a turbine or. Or dueling bowler maintenance or any of those type things. They've. They've included cybersecurity in that. But in the non regulated environments, I have to do that maintenance out of my pocket and hope that I can recoup my costs. So it's harder for those non regulated entities to do that. Right. So that's where regulations come up. But to go back to your original question, I see this changing. I see wastewater, local municipalities. I see, you know, the small manufacturers, and it's usually driven because, and, David, you hit on it because more and more customers are asking for it. Like, when they're. When they're talking to these vendors in their terms and conditions or when they're. When they're evaluating these new products, they're asking those questions, do you have an s bomb? What is your cyber, you know, hygiene like? They're asking those questions, so it's holding those vendors up to a different standard, so they're needing to come in. Right. And the sooner, the irony is, the sooner that we get these things done. You talked about, you know, secure, you know, designs, cyber by design. Right. I was at Idaho national Labs a while back, a couple of months ago, and I did their cyber informed engineering, you know, training. And it's all about designing the cyber into the process. And it's not just the cyber process. It's into the whole process of the thing that you're doing. Whether you're making electricity or driving a train, it should be done from the beginning. Right. And if you do that in the beginning, then the costs are actually lower. You're more efficient in your overall process is not just the cyber hygiene. But the problem is, is we can't just go back and replace all of these OT systems that have been out there for 40 years. It's too expensive. That doesn't mean we can't do, we don't have to do anything. So I see this coming around. A lot of these industries change quicker, meaning that the time between installation to upgrade is shorter, whereas in an, like in some of these OT environments, power plants is a great example. I have a lot of experience in that. You know, they may sit, a power plant may have the same technology and the same equipment that it installed 40 years ago and they haven't upgraded anything, that maybe they've done maintenance on it, but they're not replacing it. There's DOS and Windows XP and a lot of really antiquated systems that are still running critical infrastructure and they're doing a fine job. That doesn't mean you have to replace them. It just means you still have to do something. And that's, that's the other thing I think people have come around to is it doesn't necessarily mean that I have to just replace my control system or rip out all the old equipment, but it also doesn't mean I can't do anything. I can't just say, well, it's Windows XP and I can't replace it, so I can't do anything. Like, no, you can do things. I can mitigate it in different ways. I can isolate it. I can put other systems around it. I can monitor for certain things. I can lock it down. There's a lot of things that you can do that don't just require you to replace everything. [00:22:40] Speaker C: Yeah. Yeah. It's actually extremely interesting because when you look at the evolution of cybersecurity, you always see, you know, new tools, new innovations, new ways to secure new devices. It's always about what's new. But there's a huge market out there of legacy, like cybersecurity for legacy devices, which is probably even more challenging than the new stuff. And it's not going away. So it just sounds like it's going to be more and more complicated to fend off the attacks in these devices. [00:23:16] Speaker B: Or like Porsche did recently, they cut down, they cut out several lines of their vehicles because they weren't able to comply with WP 29 R 156, which requires that legacy vehicles have the same type of cybersecurity in them. And instead of trying to retrofit, so they're just waiting, they've shut down those lines and they're waiting for their electronic versions to come out. [00:23:47] Speaker A: Right? [00:23:47] Speaker C: Yeah, but that's, you know, those are two widely popular, but still the two models of Porsche, I imagine when you're thinking about critical infrastructure, or even I'm thinking of my father. My father works at a bank, and he's a mainframe expert. And these guys at the bank are trying to replace the mainframe systems for years, and they never do it because it's billions of dollars and it's five year, ten year project at the minimum. So they just don't do it and it stays there and they need to deal with it. So I imagine for critical infrastructure, for energy, for these kinds of devices, it's even more complicated. [00:24:24] Speaker B: So, Aaron, I have a question for you from your background in OT control systems. So I recently saw a session that was talking about whether or not to scan plc's, because let's say you have a control system that has to be running twenty four seven, and you scan it and you discover that there's a vulnerability. So what do you do? You're not going to be able to take it down. The maintenance, that the scheduled maintenance might be eight months away, nine months away, or there might be no scheduled maintenance. What do you do? [00:25:05] Speaker A: That's a very common problem in conversation. I hear in OT, right, is an s bomb open kind of Pandora's box with that. And when s bomb first came in on the market, everybody was like, oh, my gosh, I've got millions and millions of these vulnerabilities in my environment. I can't do anything about that. So it almost became white noise, right? It's so I have so many vulnerabilities, I'm not patching my systems, much less am I going to fix all of these other vulnerabilities. So, to answer your question, I've been scanning an OT environment since before there were any OT, passive, or any of these other tools. You have to be intelligent and careful with it. I wouldn't just randomly plug into some network I don't know anything about, or the systems, and then just start, you know, doing an it scan on a system, because absolutely, it can bring things down. A lot of these older OT systems, if you scan them, they just, they just fall over. They're not designed, the protocols don't support it. So if I just start hitting it with all these protocols, they'll literally fall over. But that does not mean that you can't be go active. And active is obviously where I'm actually asking the thing, hey, what are you? Who are you? What do you have going on? What are your, what's your firmware, all that kind of stuff. Right. But it goes back to a bigger question of why. Right. What is, what is the goal to your point, if I find a vulnerability, let's say that they, somebody hired me to come in and do an assessment on a power plant or whatever the thing is. And I said, hey, here's all the things that I found, all of these PlC's, these hmis, all these things, they have all of these vulnerabilities. In an it world, the answer would be, go patch them, replace them, you know, whatever, right? Get them off the network. That's the answer. That's the mitigation that a big four firm would, would recommend or, you know, an internal audit team would. Right? But in OT, that's not the answers that the answer there. If you were, if you had a sophisticated ot environment, it can be, hey, I know that this has a openssl or a RDP or whatever the vulnerability is. If I had monitoring, then I can watch for, hey, I know this is a vulnerability. So I want to watch this and I want to flag and send something to my sock anytime I see any of this type of activity, because it should not happen. So I should be, you know, it's, it's suns, you know, Sun Tzu, art of war, use my strengths as weaknesses and my weaknesses and strengths. So if I know that I have these vulnerabilities, I can't patch them, I can't get rid of them, but at least if I know they're there, I know to watch for them and pay attention. Hey, I know that my back door is not locked and it's broken and I can't do anything. So I'm just going to sit there and watch it. And if somebody comes in, then I'll at least be aware of it and then I can do something more quickly instead of closing my eyes and saying, hey, this is an old system. I can't patch it. I don't have an outage for nine months. So there's nothing I can do. We'll just put my head in the sand and hope, hope for the best. [00:27:55] Speaker C: Wow. Wow. That's, I never thought of that. That's so different, radically different than most of the industries that we deal with. Because, you know, the medical device industry, if you have vulnerabilities, when you submit the device for approval for the FDA and you don't patch them, you're out. The product is not going to go out to the market. So you have to do it. But this issue of staying watching without fixing a vulnerability because you just can't fix it, it's very interesting. [00:28:30] Speaker B: Yeah. Not only that, but in the H ISAC conference. So Jessica from. From the FDA, she was up on stage with Nastasia, the two. Two of the senior cybersecurity people from the FDA, and she said, don't even think that you'll get away with low priority vulnerabilities. You know, we're gonna. We're gonna insist that you take care of everything from the critical to the low priority ones, and which, which was pretty incredible. And I think there's a lot of interesting body language in the audience of the medical device manufacturers. So. Yeah, and I think it's also very different than the automotive because depending on the industry, there are different ways that the regulators are either auditing or checking or letting the manufacturers have more leeway, or maybe not leeway, but letting them put the programs into place and almost like self checking themselves and being able to show the reports on what has been done. And it could be one, because they don't have the manpower to go out to every Oem and to really check their systems, or it could be that they feel comfortable enough, given the background, for example, in automotive with functional safety, that they count on the fact that, yes, these are the programs that we have in place for cybersecurity. These are the documentation, the evidence that we have in place. And so it works whereby in other industries, I think they need to be a lot more on top of things. I'll just as an example, one of the 17 critical, I believe, is food preparation and food manufacturing. Right? Which people, when they hear about food manufacturing, they think, oh, that's an interesting one. They don't realize how important that is. If you shut down food manufacturing, you're shutting down the daily intake of food for your population. So it becomes a seriously critical area. And when you think about, okay, what kind of cybersecurity regulations are there for that area? And I've been looking at that, and I found a couple, but they don't seem to be, you know, as strong, for example, as medical devices. And I would think that they would even have to be more, you know, more intensive because this is food that we're talking about. A medical device. Yeah, you can say I can use it or I cannot use it, but food, people need to eat. So they have to be sure that what they're ingesting is safe. And, you know, that the systems have not been tampered with. And more and more, we're dealing with robotics and robotics coming from, you know, a wide range of manufacturers from various places in the world. I don't know. It seems to me that there are some areas that we have yet to see, let's say a very strong cybersecurity input and requirement that we will see in the coming weeks, years and weeks, months, indefinitely over the next couple of years. [00:31:25] Speaker C: I have another question for Aaron. I'm curious again. So we talk a lot about the OT and it convergence, and that's something that, you know, in your industry is very, very prominent. My question is about following what you just said before about pre market and post market convergence. Do you see that happening as well? Do you see teams working more on the secure by design side, but then on keeping a watch out for attacks and hacks like post production CMS or incident response activities? [00:32:03] Speaker A: I am. Which is good. It's one of the things I'm excited about is, is I do see more conversations being had bringing the right parties to the table again. In OT, you can't just go out and replace everything, right? There's too many. There's 17 critical infrastructures. Imagine how many old PlC's or, you know, things with vulnerabilities that are out there. I mean, just look at the power grid, you know, the transmission lines and how many miles of that oil lines, and, you know, think about all of those things compounded. How many water wastewater treatment facilities are in the United States. And I'm just talking about the continental United States, not spread that across the world and that exponentially grows. So it's about triage, right? It's about doing what you can do with what you have. Knowing that I don't have an unlimited budget, knowing that I need to hit, you know, the most important things for me, and every organization is different and every site is different. That's the other piece that people don't see all the time, is the sites are different. So I can have two power plants or two manufacturing facilities or two water treatment plants, and they're completely different. They have different systems. They were installed at different times, they have different, you know, interconnections, they have different PLC's, they have different vendors, they have. All of those things are different and they're unique. It's almost like an individual business every time I'm doing these assessments at these sites. So the importance of having those conversations, the pre stuff that you were just talking about is, hey, anytime I'm going to be upgrading, if I'm going to do a control system upgrade, or I'm going to be replacing technology or I'm going to be rolling out a new anything. I need to be considering that cyber, and I need to make sure that the OT people and the IT people are at the table, because many OT people don't have the, you know, 25, 30 years of experience doing this stuff. That's not their job. They're engineers. They're really good at the process and the automation and those kind of things, but they aren't necessarily up to speed on the cyber side. So bring in those it people who only know that stuff, but they don't know the opposite side. So that's where they butt heads a lot of times because they don't speak the same language and there's a whole bunch of assumptions and they don't. I like to say this, that we're all on the same team. Like, if I, if I work for company A, whether I'm an it or ot, we both have the same goal. The goal is to protect the thing and make sure that we can, you know, make profits and we all keep our jobs and the company does well, and, you know, whatever we're doing, it continues to do so. And then the ride of bang, right, if it's already there, what can I do? Again, bringing in those ot people, like, hey, and the it people, again, it's all about sitting down those conversations and really understanding and saying, hey, I don't know what to look for here, bringing in your it people. Like, instead of, I see this so many times in just a very simple example, firewalls. I want to install a firewall at my site, but I don't trust it to support it because they're going to make changes and it's going to impact me. Right. So I understand that I've been in that role. Right. But at the same time, I shouldn't just say I'm going to do this because I probably am not a firewall expert like me as the OT person. Right? So there's an entire firewall team on the IT side that that's all they do all day long is do firewalls. They've got training. They've been doing it for 15 years. They're as good at that as the OT person is, as running his plant or facility. Right. So it's, it's, it's sad that more and more people don't have those conversations and bring, let's say that you don't let them support it and manage it for you, but at least they're advising, hey, this is the firewall rules that we did. Can you guys review it and see if I'm missing anything? Right, let them look at it. Maybe they're monitoring it with your. With your approval. Like, there's a lot of different things that you can do, but use those resources that way you're not having to, because the other option is, is you bring in a third party, like a consulting company that manages for you, which is super expensive, and maybe it's the only option you have. But I think just having different conversations and looking at solutions to make sure that you have both teams so that you can see if I'm going to replace something or if I need to manage and mitigate the things that we already have and just do the best we can with what we have. [00:36:21] Speaker C: Yeah, that makes a lot of sense. I mean, we saw something similar on the KPI side. We've been doing a lot of work on trying to come up with the most valuable, the most useful KPI's for product security. Because product security specifically is a relatively new field. And trying to measure it and see the business value is not always so easy. And what we found out is, you know, you have on the one hand, a lot of cybersecurity KPI's that you can track, like, how many critical vulnerabilities I have, what's my risk score, all of those things. And then you have business metrics, like how much money does it cost? Or what's the ROI on this and that. The sweet spot is when you converge the two. So if you can find KPI's that show you both your goals. So, for example, if you look at how much time it takes me to fix a vulnerability, that's something that's relevant for both the security teams, because obviously they want to do their work more efficiently, but also for the business, because it means less resources, less time spent, less people. You know, people man hour. So that's a really good KPI. And if you can find a bunch of those, I think it makes the operation much more efficient and creates much better collaboration between business and cybersecurity as well. [00:37:43] Speaker B: So I saw something recently by an MIT professor, and this will take us into another dimension of this conversation. So, basically, he was doing some interesting studies, critical infrastructure, where he talked about the fact that a physical attack on some critical infrastructure would be tantamount to an act of war. But if it's a cyber attack, and first of all, you have to identify where it's coming from, who it's coming from, you have to be sure. And even then you might not say it's an act of war, but so they in MIT were able to simulate cyberattacks where the result was that pressure gauges and pumps exploded. Right. So we're not just talking about taking a system offline, taking an electric grid offline, taking a water sewage treatment plant offline, but actually making them useless. And the way he did that was by using generative aih. So now we're into a new dimension here of generative AI, whereby, okay, if we can do this in the labs in MIT, certainly the nation states, certainly the rogue terrorists are able to do that in their own computer labs, wherever they are in the world. And we're talking about a whole new dimension of cyber attacks that's not just meant to take a system offline, but to actually destroy the system from within. And coming from the, you know, the background that you have of control systems of the OT side, what do you make of all this and what do you think? I mean, generative AI is a game changer also for the hackers and also maybe for us trying to protect these types of attacks. [00:39:39] Speaker A: Yeah, it's definitely a concern, and we should be using it for, for, for good, because we know that our attackers and the bad actors are going to be using it to try to get us. Right. But if you, if you really just think about it, like, what, what are some of the risks that we, we are seeing generative AI? And what, what value does that bring? You know, before I had to have really specific knowledge of the control system or the PLC, you look back to Stuxnet. It was specifically built for a certain equipment doing. [00:40:09] Speaker B: We know nothing about it. [00:40:10] Speaker A: Right, right. So whoever built it, right, it was, it was done specifically for that equipment. Right. So somebody had to have extreme knowledge of those systems and have a bench, probably, of that equipment. And they were, they were building this code, and then they were seeing it, how it reacted, and they were getting the responses and they were doing QA. I mean, it was a normal, you know, secure product development team, right. But you don't necessarily have to have that now that you have AI can, can get rid of the requirements for a lot of that, right? You can, I can put it and say, hey, these are known vulnerabilities. How can I attack it, right? Or this, it's this firewall. So we can start using AI, our attackers can start using AI to shorten the gap like before. We had script kiddies back in our day. You could go all the way back to hackers, and you're downloading different things, and you're trying codes that are already out there or attacks that are already out there, and I'm just using them and throwing them against the wall. But AI can do that, the same thing, and it doesn't have to be one that already exists. So, you know, we look at all these vulnerabilities and vulnerabilities. Look at S bombs or any of these things, right? And those are known vulnerabilities. But all those vulnerabilities, before they were known, they were unknown. And we look at Stuxnet again, going back to Stuxnet or any number of those before it came out, nobody knew about it. But the vulnerability was still there. We didn't know about it. Like, zero days is by very definition, what that means. So there's unlimited a number of zero days we know nothing about. And how can AI, the right person in an environment, and we're not even talking about a nation state, but if we just have a relatively intelligent person, he grabs a Plc off of eBay and uses AI, how quickly can they get a vulnerability and find a vulnerability and then find another device that they know where one sits and go after it, right? I think not very, very quickly. And that's just an individual. Imagine a nation state that has unlimited resources and a huge budget and how they can use AI to make it faster. And it's not about, AI is not going to do anything that a human can't do, right? Nobody's saying it's supernatural. It's, it's not going to be able to do anything that a human can't do. But how much can it do it quicker? How much can it save and make it more efficient? How much quicker can they do it without having to have a hundred people? Maybe they can do it with five and represent a bigger challenge. You know, these smaller actors will be able to compete with, you know, the bigger guys that are, that are going after these things. [00:42:53] Speaker B: Especially if you think about, like, let's say that they embed the code inside of the PLC's and, you know, they just wait for the time that they want to actually implement something there that they can do very quickly and take control of some of these industrial systems or critical infrastructure systems. But, you know, maybe today isn't today, but, you know, and then depending on what they've put in, it could be very well that there are no vulnerabilities. It's just a direct connect that they can open up whenever they want. I'm sure. I'm sure we're going to have situations like this where we find that critical infrastructure has been. What's the word for it? The code's been changed. And either it was caught too early. I mean, it was caught not too early. It was caught early, or it was caught late. [00:43:42] Speaker A: Bts that are left. Yeah, yeah. [00:43:44] Speaker B: And that, you know, that they have the potential to really cause havoc with our critical infrastructure. [00:43:52] Speaker A: Absolutely. I mean, you see, we've seen it in the states a little bit. There was an attack in North Carolina, and it was a physical attack. Somebody took a rifle and shot transformers. Yeah. [00:44:04] Speaker B: Yeah. [00:44:05] Speaker A: The problem with that was because of supply chain. There's these compounding issues. Because of supply chain that an entire area of the grid in North Carolina was down for like a week, and it was really just because they knew what the problem was, but they couldn't get parts to replace it in time, so they just had an outage and they couldn't fix it. But even if you found that. Yeah, go ahead. [00:44:28] Speaker B: Sorry. [00:44:28] Speaker A: Go ahead. [00:44:29] Speaker B: No, no, I was going to take us to another area. So. Hugo. [00:44:32] Speaker A: No, I was just gonna say, if you. If you look at that and. And you. You attack that across the grid or across the water or trains or whatever, it can be really small impacts. Like, you're not. It's the target attack. I'm not going after the biggest power utility that has the most money, and they're spending all this stuff on OT, cybersecurity. I'm going after the little guys, and if I hit the right ones, then I can have a bigger impact. And because of supply chain, if I do cause physical problems, I can cause a small problem, can. Can become something big. If you look at a turbine at a power plant, you know, it's 18 months to two years before I can replace it. So if I can cause it to physically damage, and I don't mean explode, I just mean enough that I can't run it. It's out of alignment. Like, I blow up one. One turbine or one fan in a turbine, then I can't run that turbine without causing more damage. And then that. That entire system is down for at least probably two years. It's not like they have a spare turbine sitting over on the corner, right. Those things are built in Germany, and they're. They take along it's purpose built for that location. Like, and that's. That's across ot. I see that being a very large concern with, with, you know, how do we. How do we defend against that? [00:45:47] Speaker B: Right. It's very strategically, this is what I. What I wanted to say before it goes back to our, one of our first podcasts, which something so simple as a third 3rd party application allowed a 19 year old in Germany in a small village to break into how many there were 30 teslas around the world. [00:46:06] Speaker C: 30 Teslas. Yeah. [00:46:07] Speaker A: Yeah. [00:46:08] Speaker B: And to take control and open up garage doors and, you know, so it doesn't take that much. It just needs, you know, one little opening. [00:46:16] Speaker C: It goes back to what I said at the beginning, that the more I learned about cybersecurity, the more I realize there are endless unknown attacks that could happen. I think eventually one or two things will happen, right? Either it will become like a tool for deterrence so all the nation states will know that all the other nation states have this power. It's kind of like nuclear weapons, but no one's going to use it because the implications are too big. Or, and, or each nation state will also have a very powerful AI to fend off these attacks, ready. Ready for action at any given moment. But this would need to be kind of, I guess, a statewide or a countrywide thing where you have this AI protective layer against all the AI attacks that could come in. I mean, it would get crazy at some point. [00:47:05] Speaker A: Yeah. I mean, if you look at. That's a concern. And again, I keep throwing up Stuxnet, but it's a great example of that. We all unofficially know, or at least heard through the grapevine, that that was a, you know, built attack by a nation state that was designed to go. [00:47:21] Speaker B: In or two together. [00:47:22] Speaker A: Or two together. Right. To go in for a very specific purpose and shut down, you know, the. The thing that it did. Like, we don't have to get into the details. Everybody's heard it. We don't have to go back into that. But the problem is, is what happens. It's not like a missile or a bullet. The problem is, is that thing can then be grabbed. And I can do. I can find that thing, that weapon I just shot at or shot at whomever I'm attacking, they can then take it, manipulate it, and shoot it back at me, right? So I can take that attack, that product, that thing that I created to attack this one thing, Stuxnet. Now, we see stuxnet in the wild. Now, granted, because it's so specific, it's not super dangerous unless you have the exact system that is done. Now, that doesn't mean it can't be manipulated to be used in other ways. But the, the original purpose is that one thing. But again, the problem with cyber malware and apts and all those types of things. Even if we're the good guys and we're going after the bad guys. The bad guys then. Can then turn it around and attack the good guys. It's the whole good and bad is I'm being. [00:48:30] Speaker B: Yeah, you take the code base, you throw it into. Into AI engine, and you say, okay, take this and now manipulate it so that it's able to attack. I don't know, you know, the electrical. [00:48:42] Speaker A: Grids or product B site a, they have these things. How can I. These known vulnerabilities? Yeah. [00:48:49] Speaker C: Do you think, Aaron, that at some point it will make, you know, nation states decide that they should have a backup plan of, you know, critical infrastructure that's completely air gapped, not connected, just in case, because at some point you lose control over this thing and there. There are only so many attacks that you can fend off. So what do you think? [00:49:10] Speaker A: I can definitely see that. I actually read a book not too long ago talking about the whole nuclear system. And if you look at that, America's nuclear weapons are analog. They don't have digital systems. They actually use like our ICBM's have. They basically, they look at the stars to navigate. They don't have gps. They don't have any of that kind of stuff. And part of the reason for that, a, it was designed, you know, way back in the day, but b, they don't want it to be attackable. Right. They're keeping it. If you look at nuclear power plants, same thing. Like most of those technologies, they have analog. They have tertiary systems. So a normal power plant may have a primary and a backup. Well, well, nuclear power plants have a tertiary, so they have a primary backup. And a, and usually those thirds are analog for the exact same reason. So that I can fail when I fit. When the digitals break, I know it's going to work this way. I can absolutely see a place where our supercritical systems with power utility, we have something called black start. Black start is if the entire country goes dark. You can't start a power plant without electricity. So it's kind of a chicken and egg thing. So how do I get a power plant running if I don't have electricity? Well, they have black start plants and they have little generators. And they get a small plant going to get a little bit of power going. And then they jump start the next plant. And then the whole transmission thing is there's. There's frequencies and it's all a big, very complicated physics problem. And, and we have to do those things. If you look at those blackstart plants, most of the time, it's not always the case, but most of the time they're smaller. And the main reason they keep them running is because the grid we as the country pay the providers to run to have those plants basically sitting idle waiting to be for this exact reason. So they're not necessarily doing maintenance on the same type of maintenance because they're not running. It's like I've got a chainsaw, and I started once a month to make sure it still runs, and then it just sits in the corner. I'm not using it every day until a tree falls. And then I need to make sure that my, that my chainsaw works. That's the black star plant. So I can absolutely see where we need to make sure, especially in some of these more critical systems. Waste water. You know, electricity, we see when electricity goes down, you can't pump gas, water, you can't get water. Like, everything in our country shuts down across the world. Like, you're a third world country very quickly when you have no electricity because every other system is impacted by it. Maybe you have some backup generators that run for a little bit. So how can we, from a cost perspective and just from a time and opportunity perspective, how can we have that backup plan right? And how can we bulletproof our systems so that we know how to get back up if the worst case scenario happens to. And are the right people having those conversations? I'm afraid that probably not. Or if they are, they think the risk is not. The risk reward is not there yet, but unfortunately, I think that may be something we need to consider, at least at some large scale. [00:52:20] Speaker B: You know, about two weeks ago, I shut off my landline after all these years. And the guy from the PTT here, he called me up and he's like, are you sure you don't want it as a backup? A lot of people keep it as a backup in case the cellular networks go down. And I was thinking, hmm, it goes back to what you said. You have to get to, like, the most basic of the basic, of the basic if we ever get into that situation. And you know what? It's, yeah, you know, we can look at various movies that have been produced and, you know, futuristic stuff that we think about, but I hope we never get to that stage. If we get to that stage, it's going to be a really sorry world that we're living in. And, you know, I try to be more optimistic and think, you know, full steam ahead. And I really hope we don't get to that stage because that would be, it would really set things back quite far after we've come so far. [00:53:21] Speaker A: And it's scary to see, you know, obviously there's pretty large things going on, Ukraine, Israel, things that are going on right now. And we see when wars happen, they kind of throw out the rules. Right. We've seen things in Ukraine where they're not necessarily attacking, but there's fighting going on around a nuclear power plant. Imagine what could happen if bad things happen there. Right. Nuclear power plant. Obviously the biggest problem is, you know, you look at Fukushima or you look at Chernobyl, that's, that's the worst case scenario. Right. So fighting around those things is a bad idea. You know, explosions around a nuclear power plant is bad, but we see those things happening because they're in war and they throw out logic sometimes. And maybe the, maybe the commanders don't want that to happen. But I, you know, the guys on the, on the ground are just doing what they think is right. But whatever the reason, it doesn't really matter. And I'm not trying to get political at all, but it's about, hey, we know things happen, so we have to plan for worst case scenario. We can't just assume. [00:54:30] Speaker B: Right. [00:54:30] Speaker A: Nobody is dumb enough to do that because somebody is dumb enough to do that, even if it's out of ignorance. I didn't realize the big implications of that. Right. You talked about the AI fight, right? I heard somebody speaking about that. Who, whoever the first is to have, you know, the real generative AI is going to can and probably will really control, like, everything because they're going to, they're going to be so far ahead, which is why it's like an arms race. It's, it's, it's the cold war. It's America and Russia going after the nuclear, you know, arsenal. China, America and all the others are. [00:55:08] Speaker B: Yep. [00:55:09] Speaker A: Yeah. [00:55:09] Speaker B: I'd add to that, other countries, I'd add to that, you know, centers of exploration are very smart people who might live in countries we didn't even think about, who are working day and night to try to come up with the ultimate, you know, generative AI. And I agree with you. It's a game changer. [00:55:31] Speaker A: I feel like we're at that place, you know, the Manhattan project with, with Einstein, and he's like, you know, we've let, this Pandora's box is open. Unfortunately, I don't really see a place where we can stop it and say, hey, okay, everybody, let's just talk about this now because I think we're at that cold war. Well, I've got to get it before you get it, because if you get it before I get it, then you're going to control me, and I can't allow that. Right. So unfortunately, we're just ratcheting these things up. I think AI is good, but I also think we need, just like with anything, nuclear. Nuclear energy is amazing. I believe that we should. We should have nuclear power everywhere because it's clean, the waste is small, like, there's no pollution. If we really cared about global warming and all those types of things, that would be what we use, but we don't because we're scared because of Fukushima and Chernobyl and nuclear bombs. It's terrifying, the technology. But if it's done right, nuclear power itself is very, very awesome. I mean, it's what our sun is. Right. But when you put it in a bomb, it's really bad. Right? Same thing with AI. AI can be a tool for good, but it can also be used by bad actors to do bad things. So we've got to consider both when we're building this technology. Unfortunately, we've already let Pandora out. Now we need to make sure that we're considering how to have a treaty, how to regulate. If you looked at the cuban missile crisis or any of those types of things, where we. We came to the table and Reagan and Gorbachev back in the day, right, they came and said, hey, let's. Let's bring down. We don't need 40,000 nukes. Let's. Let's start de arming a little bit. We need. We both need to have it. We're probably not going to get to a place where we have zero. But we also don't need to just be playing on the Razor's edge of total annihilation of our entire world. [00:57:17] Speaker C: Totally. So maybe to finish on a more positive note, there's a question. Well, there's a question we always ask at the end of our podcast, which is what. What was the most amazing, hard to believe defining moment in your career so far? And I bet you got a really good answer, Aaron. So I'll hand it off to you. [00:57:37] Speaker A: You know, I've had a long career, so there's been a lot of those. Those moments. You know, I think for me, it's some of the biggest things. My career trajectory has been unique in that I didn't always have the experience I needed for the job that I was in. Right. There was a seat and nobody else stepped up. And I was able to step up. And this started. I was 18 in college, and I was working technology jobs back in the day doing desktop support and things like that. So I was always willing to take risks and step up to something that I was not necessarily competent in. And that goes from technology stuff to also, you know, later in my career, it was really about more of the soft skills. Right. There was a part in my career where I really transitioned from, yes, I still do technology, and I'm still pretty deep in the tech technical stuff. But. But public speaking, being on a podcast, because it doesn't matter how smart I am at configuring a firewall, if I can't explain it to the person across the table from me, that is not as technical. Right. I can't just brow beat them and say, you know, you need this because. Just trust me. Because I said so, like that, you know, the parenting tactic of do what I say because I said so. It doesn't work in the world. [00:58:55] Speaker B: It doesn't work. [00:58:56] Speaker A: The more that I can. I can transition into. [00:58:59] Speaker B: It doesn't work at home either, by the way. [00:59:01] Speaker A: It doesn't. I have three kids, and it does not work with them either. The more that I can have those conversations and explain things in a way that they understand without being condescending or like I'm talking down to them, you know, it's probably not the traditional answer, but I think that that transition from technical to. I've always had some of those soft skills, but when I really started focusing on them, it's amazing how much my career and my ability to do the things that I want to do, because really what I care about is being able to protect these environments that I know so much about and I'm so passionate about, but unless I can explain it to people and make them trust me, building trust, like, we change at the speed of trust. So the quicker that I can make you trust me and not in a negative way, like a. Like a con artist, but really build a true trust with you, the more likely you are to listen to what I have to say and not. Not look at it as, hey, I'm trying to pitch you or sell you something, but I really care about this, and I want to help you. [00:59:58] Speaker C: Wow, I love that answer. [01:00:00] Speaker B: So, shlomi, what about you? What was the most amazing. [01:00:03] Speaker C: Oh, wow. [01:00:04] Speaker B: We've never. We've never actually asked each other this question. [01:00:07] Speaker A: Yeah. I'd like to hear y'all's answers. [01:00:09] Speaker C: That's true. I've been asked this question before in another podcast that had nothing to do with cybersecurity. So I guess I'll give the same answer, which, again, has nothing to do with cybersecurity. So, a few years back, when I was working at Monitor Deloitte, I decided I was always a musician and I wrote songs and stuff like that. And I decided that probably the busiest time of my life, being a measurement consultant, is also the best time possible to try out that music thing. So I took a few days off and I recorded some of my songs as demos, and I just decided that I'll send them to all of my musical heroes and producers and everyone I want. Just. I don't know what I drank this week, but I felt like this was a good idea, so I sent it to, like, 30 people, 99% of them or so. That didn't get back to me, but one or two did get back to me, and one of them was a legendary producer from the UK who worked with the Rolling Stones and stuff. And he said, I really like that stuff. How about you come over to my house in England in a few months and we'll record your album? I love it. And that started a whole different trajectory in my life. For the next six months, I needed to convince my managers that I would need to take time off. They didn't understand what I was on and why I'm doing that. But it ended up being the most incredible six months in my life where I went to London, recorded an album, felt like I'm in Dreamland, basically. And that's something I carry with me ever since, because, you know, I never. I never became Bono or anything like that, but. [01:01:58] Speaker B: Oh, come on, don't be modest. Don't be modest. [01:02:01] Speaker C: Maybe I will still. But, no, just the simplicity of trying out something and how easy it is. Sometimes people focus on how complicated it is and don't do stuff and don't try new stuff just because of how complicated it seems to them. But eventually, those things are so simplest, so simple. If you're passionate about something, there's got to be someone on the other side that, you know, has the power, has the kind of the ability to help you, and they probably will, because that's how the world works. So, yeah, that was definitely the most amazing moment in, I guess, my career, you could call it so far. And I carry it with me ever since. [01:02:51] Speaker A: I love that. [01:02:52] Speaker B: Wow. [01:02:53] Speaker A: All right, David, you're out. [01:02:54] Speaker B: I'm hoping you'll forget about me. How can I top those stories, man? Look, I'll give you my aha moment. How's that? When it comes to cyber, because I've had a lot of things, I've had a long career and many things that have been really good in the career, some things that were less good. But last year, last summer, I was having laser surgery on my eye, and I had the, you know, the doctor, the surgeon, he put this thing on the eye and he said, okay, now for 19 seconds, I'm going to turn on the laser, and I'm laying there and he puts this thing on. And I start thinking to myself, I really, really hope that somebody has checked this medical device for cyber security, because if not, I'm going to have a hole in my brain that was what was going through my brain. Right. And at that point, I got it. I really got it of why we're doing what we do and why we're protecting people and, you know, why, why we're working, you know, on making sure that we're the good guys and that we protect ourselves. And then I counted to 19 and I was like, one, two, three, you know, and all I could think about was, I hope nobody turns it up and does something naughty with this device. So I think that was seriously an aha. Moment for me when it comes to cybersecurity. And I don't know if it was the most amazing, but it was the most enlightening moment that really brought home personally to me the reason that we're doing what we do every day. [01:04:31] Speaker A: Yeah. There's, there's real implications. This is, this is real world stuff, right? It's, it's the same as, as, you know, you see the news article and, you know, somebody was mugged and, you know, some other area of the city, and it's like, oh, well, that's somebody else. Until you're sitting in the chair or you, you know, your next door neighbor or maybe you're your wife or yourself gets impacted by that, then it changes. Right? You mentioned it before, right. With, with companies that got hit. Solarwinds is an example. They have huge cyber budgets now because they realize firsthand how dangerous and what the risk is. So hopefully we don't have to, the whole world doesn't have to realize, we don't have to wait until bad things happen to do good things because obviously we don't want to do it at that point. Unfortunately, I see a lot of people have to be in that chair and experience it firsthand before they're, before that aha moment happens and they're like, oh, yeah, this is why we should do that. [01:05:28] Speaker B: Yep. Great. Well, this has been a lot of fun. [01:05:32] Speaker A: This is, I appreciate the time today and the conversation. So why don't you guys tell us what's the call to action for you guys, as far as learning more about the company that you guys or yourselves. [01:05:44] Speaker B: Individually, show me you want to take it. [01:05:47] Speaker C: Sure. And then you can take it as well. So about the company, I think we covered a little bit at the beginning, but we are in the product security space. We're focusing on helping medical device companies, automotive companies, industrial manufacturing, anything that has to do with safety critical devices. So we help them with compliance with the cybersecurity regulations. Bye. Facilitating the process of asset and esmo management, vulnerability management, incident response, and all of that. Good stuff. So I guess the best way, if you want to learn more about that, is just talking directly to me or David or visiting a [email protected]. we love to talk about that stuff. We have a podcast dedicated to product security. So that's our bread and butter and that's what we love doing. And yeah, I guess I'll leave it there. David, what would you like to add? [01:06:47] Speaker B: I'll just add one thing to it that we really like to get out to the market and post. Covid especially, we do a lot of conferences face to face in addition to the podcast. And it would be great to meet anybody who wants to meet up, come to our website, look at our event section, and let's meet face to face. And even if there's no upcoming event, you know, if I, one of, one of your, if your organization wants to even just have a briefing on what it is that we do and how we've helped a lot of companies in the space, you know, we're happy to come by and visit. We have teams all around the world and just get in touch. David.com shlomi bellum.com and we'd be really happy to hear from you. [01:07:33] Speaker A: Outstanding. Definitely put all that in the show notes so people can reach out and, and find out more information. It's obviously a big area of need with more and more IoT and devices coming online that we need to learn how to protect and make sure we're doing it from the beginning instead of, you know, bolting on or putting a bandaid on a bullet wound. [01:07:53] Speaker C: Totally. And Aaron, get, I keep forgetting that we're also posting it on our end as well. So what's your CTA? I guess that's the perfect way to end this. [01:08:03] Speaker A: Yeah, absolutely. So again, Aaron Crow. I'm with a consulting firm called Morgan Franklin. We are a cyber boutique from head to toe. Right. So anything cyber related from a services perspective, we don't sell products. We work with a lot of partners, and we do everything from, you name it, like, from it to OT assessments to implementations, doing design and architecture to hands on, you know, putting in, helping expand your team, you know, coming in and doing specific project stuff, rollouts, kind of everything in between. My team specifically, we focus more on the OT side. So obviously I'm doing, you know, power plants and, and manufacturing and, you know, rail and transportation and wastewater. And again with that, we're doing everything from, you know, from compliance, from assessments, from red teams to, you know, helping you build a program doing. And it's all the policy, process and technology. Right. It's not just, hey, what, what technology do you need? Because technology is a big piece of it, but it's not always the answer. It's not always the only answer. Technology alone is not enough. So for me, obviously, I have my own podcast as well, protect it all, where I really talk about all things it and OT cybersecurity, it's probably leans heavier on the OT side just because I spent a lot of my efforts around that. But I like to have conversations in this because I really don't see that much difference. It's all the same, you know, it's very similar. Technologies are similar, et cetera. It's just kind of the implementation and how that is different now. So as well, I'd go to a lot of conferences. I'll be at black hat and Defcon here in the states in August. So definitely come out and say hi. Morgan Franklin has a booth at the House of Blues facility, and I'll also be at Defcon. I work with a nonprofit called ICS Village. So I'll be in the ICS village during Defcon. So definitely come up and ask questions. We'll have our little, we've got an OT wall that has PlC's and some cool blinky lights that we showcase and kind of talk about how OT and how do you secure it and what are the problems that you have and all that kind of stuff. So definitely reach out there. My website for my podcast is protectedall co. My email is there. You can reach out. If, if you want to be on the podcast or want to have some cool conversations. Definitely reach out. [01:10:19] Speaker B: Great. [01:10:20] Speaker C: Sounds great. [01:10:21] Speaker B: So I guess it's a wrap. This has been a lot of fun. [01:10:23] Speaker A: It's a wrap. Yeah, absolutely. Thank you, gentlemen. [01:10:26] Speaker B: Thank you. [01:10:28] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time it.
Previous Episode
Next Episode

Other Episodes

Episode 2

February 05, 2024 01:02:10
Episode Cover

Bridging the Gap: OT Cybersecurity in the Evolving Landscape of Industry and Recruitment

With a focus on the OT Cyber Security recruitment space James is the Talent Solutions Director at NDK Cyber. NDK Cyber work with high-growth...

Listen

Episode 29

October 28, 2024 01:09:52
Episode Cover

Bridging IT and OT in Cybersecurity for Power Plants with Jori VanAntwerp

In Episode 29, host Aaron Crow is joined by cybersecurity expert Jori VanAntwerp to delve into Power Grid Security and Redundancy. This episode explores...

Listen

Episode 17

July 22, 2024 00:46:53
Episode Cover

Bridging the Security Gap: How HERA Transforms Remote Access in Industrial Environments with Andrew Ginter

Welcome back to *Protect It All*! In Episode 17, host Aaron Crow is joined by Andrew Ginter, VP of Industrial Security at Waterfall Security...

Listen