Driving OT Security Innovation: AI, Risk Reduction, and the Future of Critical Infrastructure

Episode 63 June 23, 2025 01:08:02
Driving OT Security Innovation: AI, Risk Reduction, and the Future of Critical Infrastructure
PrOTect It All
Driving OT Security Innovation: AI, Risk Reduction, and the Future of Critical Infrastructure

Jun 23 2025 | 01:08:02

/

Hosted By

Aaron Crow

Show Notes

Welcome back to Protect It All! In this episode, host Aaron Crow sits down with longtime friend and OT cybersecurity veteran Brian Proctor for a deep dive into the current state—and future—of the OT cyber landscape. Together, they trade stories from the front lines, reflecting on how their early experiences as asset owners shaped their passion for innovation and helping critical infrastructure run safely and securely.

Brian, whose career spans roles from OT engineer to startup co-founder, opens up about his journey—highlighting his drive to push the boundaries of traditional OT security and the evolution of key industry technologies. The conversation explores everything from the persistent lack of innovation in OT, to AI’s growing role in tackling the daunting challenges of risk reduction, visibility, and scaling assessments across sprawling environments.

If you’ve ever wondered how new tech like AI is reshaping industrial cybersecurity, why “we’ve always done it this way” just doesn’t cut it anymore, or how organizations can realistically stay ahead without breaking the bank, this episode delivers honest insights, practical advice, and a look toward an exciting, if sometimes daunting, future.

So grab your headphones and settle in as Aaron and Brian share stories, hot takes, and strategies designed to protect it all—because in critical infrastructure, the stakes have never been higher.

Key Moments: 

06:45 OT Cyber Industry Evolution

11:57 Evolving Challenges in OT Security

19:34 Bridging the OT Security Skills Gap

21:54 Enhancing OT Security Understanding

30:46 AI Model Security Challenges

34:26 Rapid Scaling for Site Assessments

40:56 Simulating Cyber Threat Responses

47:19 Operational Priorities: Equipment vs. Cyber Tools

49:30 Focus on Meaningful Security Metrics

56:30 Rapid AI Adoption vs. Internet

01:02:12 Cybersecurity: Small Targets are Vulnerable

About the guest : 

Brian Proctor is a cybersecurity leader with over 20 years of experience protecting critical infrastructure across energy, industrial automation, and operational technology sectors. As the co-founder and CEO of Frenos, he empowers critical infrastructure operators to proactively secure their environments against evolving cyber threats.

Brian built his foundation in ICS/OT cybersecurity during his 13+ year tenure at two progressive California Investor Owned Utilities, San Diego Gas & Electric and Southern California Edison serving the 2nd and 8th largest cities in the United States. He managed a team of 15 security engineers and researchers across 150+ projects, established OT security roadmaps, and co-invented an R&D Magazine Top 100 award-winning GPS anti-spoofing mitigation technology that earned him a patent.

Brian has published IEEE papers on security monitoring, served as Critical Infrastructure Co-Chair for Securing Our eCity, and regularly speaks at conferences to educate and build the ICS/OT cybersecurity community. He holds technical certifications including GICSP, CISSP, and CRISC, along with a Business Administration degree from the University of San Diego.

Links: 

https://frenos.io/services - Learn more about Optica, the industry's first tech-enabled rapid OT visibility service 

https://frenos.io/autonomous-ot-security-assessment-platform - Learn more about how to automate OT security risk assessments

Connect Brian : https://www.linkedin.com/in/brianproctor67/

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

Aaron Crow (00:00.96) Hey, thank you for joining me today on the podcast, Protect It All. I'm super excited. and I, Brian, thank you for coming on the podcast. Brian and I have known each other for quite a long time. We've done some really fun and exciting things at, big label companies and really fun and exciting stuff in the OT space. So Brian, why don't you introduce yourself and tell me, tell everybody who you are and if they don't know you, why they should know you. Brian Proctor (00:24.654) Yeah, yeah, thanks Aaron. I know we've been trying to do this podcast now for months. We finally got a chance to do it. But hey everyone, Brian Proctor spent my first 13 years as an OT cybersecurity engineer and architect. for two California electric utilities. After that, after deploying kind of the, being an early adopter of OT passive monitoring in 2014, I made this silly, crazy idea of jumping into sales for one of the OT cybersecurity monitoring startups called Security Matters. For those who remember that company, obviously they were... early competitors to the ones you know today like Drago, Sinclair, and Nozomi Networks. And so, yeah, got to, got to sell into pretty much every large industrial vertical from manufacturing to oil and gas, to electric utilities, to automotive, pharma, you name it. So I've got so much exposure, was such an awesome experience. And then for those who don't know, Security Matters was acquired by Forescout Technologies 2018, and I led kind of their OT. sales for a couple years after we were acquired. Since then though, I took the next crazy journey of deciding to get back together with some friends at Security Matters and I co-founded Frenos. What we are is the first kind of AI native, what we're calling OT, Security Posture Management Platform. So really kind of being kind of the first second generation OT security technology, really helping people take that next step. So yeah, I've taken it actually Aaron, we have similar backgrounds to be quite honest, where we started as asset owners. Now you didn't go really to the product side, you went more consulting, but yeah, we're similar where, yeah, had no idea I go into sales, had no idea to start my own company, but man, I love OT cyber, been doing it since 2004. Brian Proctor (02:28.97) And yeah, it's so lucky to be in this community. Aaron Crow (02:33.634) Yeah, absolutely man. you know, it's so funny, there's so many of us that kind of came from this, you know, as an asset owner and kind of bridge the gap into whether it be a vendor or consulting or whatever. I think the common thing, the common theme I see with us all is that we have this drive and this desire to give back and to help, you know, make these environments better. Cause we understand, A, probably because we've seen, you know, how bad and ugly it can be and how critical all these Brian Proctor (02:43.133) if they're not supposed to Thank you. Thank you. Aaron Crow (03:03.416) you know, the critical infrastructures and why they call them critical infrastructures and how important they are and that we want them to work. you know, I want my, you know, my kids to have a safe environment and we want electricity to work and water and all the things that we've grown accustomed to, especially in this country of, you know, electricity and, and, air conditioning and, you know, refrigeration and gasoline and, you know, AI and computers and Netflix and all the things that we, take for, for granted. sometimes I guess probably we don't, but you know, so many do. So, so along that line, you know, to your point, we, I've been doing this for a long time. I, I was implementing technology and OT spaces before there was any dedicated OT specific products, even before, know, any of the initial ones, right? I was using I commercially off the shelf, it stuff and kind of forcing them into these OT spaces because there wasn't anything else to do. Right. so along that path. Brian Proctor (03:53.216) I think that it's thing. I think that it's a thing. I good I think I I I think I good I it's a good I I think I I it's I thing. I I I good I I thing. I think a Aaron Crow (03:56.878) And across all of these years, we've seen some big hit things come up. Obviously, network monitoring visibility, vulnerability asset management, that type of stuff has really been big. Secure remote access is another one that's really big, that's been in the space and continues to be a leader in what people are looking for. Obviously, compliance, especially in NERC CIP and some of these regulated environments. compliance and the reporting side of things. But we were talking offline and I kind of want to bring this conversation in. In the last 10 years, there hasn't been a whole bunch of innovation in the space, right? We've seen a lot of the same stuff. And honestly, I love some of the products and I'm not saying we shouldn't do them. Network visibility is great. I love the partners that we have in those spaces. The firewall technologies have come so far along, like all that stuff is amazing. Screw-mode access is absolutely a need and not a want or an option thing. You gotta have screw-mode access if you're allowing that. But again, there's little to no innovation and it's just implementing the same things that we've done in IT maybe in a different way, but it's doing it. what caused you to wanna step out and say, hey, I see this thing over here that nobody else is doing and I've got this crazy idea. I mean, we want to do something different and then a little bit kind of maybe dive into the use case of what you guys are doing and why it's different and why it helps and how it helps these companies no matter where they are in the maturity level of their OT programs. Brian Proctor (05:22.693) Yeah, yeah, absolutely. Well, I've always been an innovator, Aaron, at the utility I worked at. For those who don't know EPRI or Electric Power Research Institute, this is a non-for-profit organization and they have a cybersecurity kind of innovation group of utilities that all meet and get together. And I was lucky enough to be the representative at one of the utilities that I worked at. I just have a passion of really just pushing the industry forward. I actually have a patent on GPS spoofing and running through it because we were doing some synchro phaser use cases and I was like, whoa, what happened to start drifting time and shifting phase angle? Could bad things happen? And we found out you actually could. So, which is crazy, because now with the Ukraine and Russian war, they're like using GPS and timing and location. And that's actually a big part of the war, which is crazy. But so I just love kind of... pushing the industry forward and so being part of EPRI is kind of where I started my passion. yeah, I mean the way I look at this industry Aaron, like the OT space, I actually talked to a lot of VCs about this because I had the fundraising is a necessary evil when you start a company. And so you have a lot of conversations with these types of people. And so. Yeah, I want to share or give you some background on thoughts on kind of my perspective of the OT cyber industry as a whole, which is really the market that we know today for OT cyber really was established around 2015, 2016, roughly about 10 years ago when Drago's Clarity and Nozomi when they came out of stealth. Like we all know one of the first there were other products before then like Industrial Defender was probably arguably probably the first. Brian Proctor (07:33.471) one out there. But there's also some other kind of smaller ones. There is actually an OT secure remote access technology out of Israel that Honeywell bought called Next9. Next9, geez, I'm going way back. So which is crazy. But long story short, the market as we know it today started around 2015 and... And really, so that's when they came out of stealth. These companies were small. Some very, very early adopters like myself in 2014, 2015 really adopted these technologies. Big shout out to Chris Sistrunk and Adam Crane, whose DNP3 research, for those who don't know, take a look at their research back in, I think it was around 2014-ish. where they started fuzzing the DNP3 protocol and found a bunch of protocol stack errors. And basically if you send a certain malformed pack DNP3 packet, you literally could break every single DNP3 device and electric utility. so putting on my hat when I was at an OT architect, we were migrating from serial to IP based networks and their research came out and I literally pooped my pants. I'm like, holy cow, this is bad. Like if someone just blasts our whole network with these malformed packets, like every device is bricked, like literally bricked. And that freaked me out. so that's thanks to them. That's where I became passionate and knowledgeable on kind of this OT passive monitoring space. And that's why we rolled it out at my uUtility. then Aaron, I got to talk about it at conferences, cause I was just. I mean, I just love talking to people about this. I'm just so passionate about it. and, I actually, my talk was all centered around not to security value that OT passive monitoring provided, but the operational value. So, cause we would build like Splunk dashboards about kind of the OT errors that we saw with all the devices. Cause you know, DNP3, there's a bunch of error codes and you can tell when devices. Aaron Crow (09:46.786) Mm-hmm. Brian Proctor (09:51.733) are having problems either with timing or you're sending commands they don't understand. And so we had visibility into this and our field crews, our relay techs, our RTU techs and our various technicians on the field literally had no idea like this was happening. And so it's all about making their lives easier and obviously making our system more resilient. But long story short, after I these talks, there would be 20, 30 people waiting to talk to me after these talks. so That's when I put on, I went to school for business actually. I kind of put on my business cap. was like, wait a second, like this is gonna change like the OT space. so, yeah, so that's when I decided to kind of jump into the startup and kind of start obviously selling this into the community. But where we're at today, Aaron, is from my perspective is look, people... like the OT cyberspace has kind of been stuck in the mud or stuck in this kind of OT. need to get visibility, which is absolutely a hundred percent correct. I'm not saying you shouldn't do that. They there's fantastic vendors and solutions out there. You should know what you have. That's kind of step step one. And obviously there's passive monitoring ways. There's active ways. I'm sure the, the OT security trolls out there are going to comment. You should only be active and scan everything, which Aaron Crow (10:58.104) Sure. Yeah. Aaron Crow (11:08.771) Yep. Brian Proctor (11:19.995) might work for a plant, putting work in electric utilities where you have fractional T1 lines and other things. You just can't scan 2000 sites and 100 devices each side to literally break your whole network. besides that, so what's happened since the market started in 2015 is that people have started their visibility journey and people, I would say, and you probably know a lot about this. probably more to me because you talked to probably more people than I do. Like I'd say probably 60 to 70 % of the OT security market has started their journey already. at some level, like some people have been doing it for five plus years. Some people have started recently, but long story short, yeah, there's a lot of people that I actually sold into back in my early days of security matters and they've been doing it for so long. They're really wondering, Aaron, like, what's the next step? Like, I deployed these sensors or active polling or whatever it is. I've got this asset data. I've got all this vulnerability data now, right? Like, we know we have problems. I like to say there's a lot of unlocked doors and open windows in OT. But the problem I think that we all have and why we started Frenos, Harry, my co-founder and I, is people have this data error and they're just like, there's a lot of noise and they don't know what to do right now. And the solutions out in the market aren't really telling them the proactive things and the steps that they can take to actually reduce risk in their environments. Cause when you look at the, let's just say the OT visibility monitoring space, to be quite honest, the first main use case was threat detection. Right. And, and then, and then what happened was a lot of people just didn't find the threats, whether the threats weren't there, whether the technology wasn't good enough to identify the threats or the sock people can do it. I don't know. But for some reason, like they're not detecting a lot of, say advanced threats. And so that's why the market kind of shifted to more of the visibility message, like know what we have, like an identified vulnerabilities, which is smart, which is what you should be doing. but now. Aaron Crow (13:13.901) Right. Brian Proctor (13:41.02) Frenos is all about taking those data sets, Aaron, and really driving action. So we're running and simulating, leveraging a digital twin that we build with firewall configs and router configs. And then we combine it with an AI reasoning agent who thinks and acts like adversaries, like Volt Typhoon, like a ransomware group. And obviously we know the TTPs and we can start simulating. within this digital twin, what are the most likely TTPs that would work in your environment, right? Because now we have network context. Now we have asset context. Now we have vulnerability context. And we can say, well, hey, what kind of box is this? it's Windows. it's an RTU. It's an RTAC. Like it's running this, like these ports and protocols or services. And so we can really start understanding what the most probable like ATT &CK PAS and TTPs are with the focus of giving folks, I prioritize lists of mitigations that they can take right now to lower risk in their OT environments because that's, Aaron, was the question. When I spent years deploying my sensors and spent millions of dollars, you know, I had some really sharp executives and they came back to me and said, okay, Brian, you spent all this time and money how much risk did you actually reduce in our environments? And that was the hard part was like, well, we didn't actually reduce any risks. We got foundational data that was necessary, but we didn't actually reduce something or reduce the risk. And so that's where we're focused on Frenos is actually driving action from the OT datasets that many folks out in the community have today right now. Aaron Crow (15:32.94) Yep. A hundred percent, man. and you know, that's, that's, that's the thing that I see is, is, know, AI, everybody's talking about AI, you know, I just got back to RSA and you know, everybody's bolting on some kind of AI chat or something into their product, just to say, have AI. you know, a lot of them I've been, you know, as a, as a CTO, I was, I was looking at that as well for the product. And, you know, some of it, some of it makes sense. Some of it just doesn't because of the way that the products are built. are the functions that they're serving and there's just not a big reasoning behind it. Some things could help you with compliance questions and things like that. Obviously, there makes sense there, but it's just limited in what use cases you can have with it. we know these tools are coming. We know that AI is coming. And the question is, what do you do with it? AI is just a generic term that just is really around. We've been doing automation in these places. way before there was computers, way before there was ethernet. Like that's what control systems are, is they are automation. We're just adding an additional layer that helps do some additional advanced, you know, yeah, consolidation, reasoning, looking at things better than a human can. you know, it's like, I can look through a firewall. It's a reason why we have like tools like Firemon, again, that are around forever. I can look at a firewall rule. Brian Proctor (16:35.898) advanced you know Aaron Crow (16:55.534) or configuration and manually look through it and look at the rules and say, it looks good to me. But it's also really easy for me to miss a port and say, wait, why is that port in there? And not catch it, right? Because it looks like a six and I thought it was a nine or whatever that looks like, right? But that's where products and tools like this come in and find those gaps that you don't find, right? Brian Proctor (17:07.262) Okay. Aaron Crow (17:19.52) All that bad actors need is one, know, people hate it when people say this, but all they need is one success. And we have to try to protect all of those things, right? And we don't know what we don't know. And a lot of the spaces that we go into, as you know, we're in different spaces or different maturity of an OT model or implementation. You you've got the big boys that have thousands and thousands of sites. There's no way they can implement everything and keep it all up to date. at the same scale, just because the site you and I, or the company, we don't have to name them, but big power utility in the country. One of the biggest ones, they've got 3000 plus substations. Actually, they've got 10,000, but we deployed it across 800 something like that, right? And there's just no way they can even keep up with that, right? How do they, I even had it when I was an asset owner and I had 48, 40 something power plants in the state of Texas. Brian Proctor (17:49.773) It's a place to be able to. Brian Proctor (18:04.409) You Aaron Crow (18:18.068) I was deploying things, but no, who was behind me taking care of it and getting the value, the ROI out of it. And then upgrading and thinking of, okay, now we've got this now what? Because that's the thing is, is as we know, cyber is not a, there's no finish line. There's no, we got it. We're secure. We could go home now. Let's dissolve the cyber security group. And we've checked all the boxes. Like that's not real. Like this is a thing that's going to go into perpetuity and we're going to be constantly having to Brian Proctor (18:35.141) Right. Aaron Crow (18:47.286) outwit our adversaries and outwit the vulnerabilities and outwit the things that we're installing in these spaces and the needs that we have and doing it alone is expensive and we're constantly fighting resources. And that's why I think AI is so important to be thinking about how do I use these in OT? Cause we're already resource strapped. We already have a problem, a skills gap and all these types of things. So how can we use these tools to subsidize some of that and to... Brian Proctor (19:02.616) Yeah, man, I mean that skills gap is real. mean, look, look, we used to be ex-asshole owners. Aaron Crow (19:14.69) to level set and exponentially grow the maturity of these environments without exponentially growing staff and budgets and all that type of thing as well. Like that's what I'm excited about. Brian Proctor (19:30.912) Right? Dude, we've seen a massive, right? A lot of great talented people, because there's so much opportunity, OT Cyber. They've gone and left for Drago's, know, Rob's built an amazing team. Heck, he stole my top guys at SDG &E. They still work with their shout out to DMS and Austin Scott. So one of the things we actually talked a lot about too, Aaron, is we want to help up level OT security teams. Cause there's always like always like junior or entry level folks is how can we help help organizations up level their knowledge on OT and get more familiar with the environment. And that's where I think products like ours who leverage like AI can really help help those teams do it because look like it's so funny. Like we have, we have customers who ran their POCs. I'm not kidding. with interns because all you have to do is collect data. They can email people and ask for data sets or go download, export data. And all you do is upload it and the analysis just works. And then there's outputs and things to do. That's where we're going here, Aaron, is if you really look at the state of assessments, because that's essentially what our platform does. We're doing autonomous continuous. like cyber assessments of OT environments. If you look at what people are doing now, it's a lot of manual work, right? It's a lot of manual, like I'm hiring people, I have my internal risk assessment team or red team or some type of OT assessment team. And like we're talking with utilities left and right. And these are like week-long engagements, month-long engagements from consultants. How do you scale that across hundreds or thousands of sites? You can't, you simply cannot do that. It's just not cost effective. You don't have enough time and there's really just not enough people. And I think that's where technology and AI is really gonna help out is taking these data sets and running this analysis so we can get the low hanging fruit. Like we all know, Noatead, there's a ton of low hanging fruit, like simple stuff we can do. It's not just patching things, like I would argue. Aaron Crow (21:48.91) 100 % Brian Proctor (21:53.528) Your time could be better spent not patching and focusing on other things to be quite honest. So that's why our platform, we provide recommendations of a variety of different categories of areas, segmentation, a variety of other things. So yeah, we're all about uplifting people, like gaining efficiencies and really helping people. Like I would argue today, and this is probably one of the many hot takes I'll have on this pod here, Aaron. is today there isn't a single OT asset owner in the world who understands their security posture at all their OT sites. And I would argue many of them, they probably understand their OT security posture at less than 25%, like at most, like most of the community. And that's what we're tackling at Frano's is we believe now, thanks to a lot of the hard work that those first generation OT passive monitoring tools have provided those foundational data sets, that you absolutely need. We can now take those data sets and run this type of analysis to really start pushing innovation and driving maturity of programs faster and better. that's what excites me, man, because gosh, mean, for those of us who've been in this community for so long, we all know that there's so much work to do and there's so much opportunity. Yeah, I just get excited when I get to talk to a new company or a new team. I'm like, tell me about your journey. Like what's been going on the last 10 years? And then of course we have COVID that really kind of stalled everything for most people, right? So to be quite honest, when you look at like the cybersecurity industry as a whole, not just OT cyber, like OT cyber is like in its infancy. Like we're like early days here. Aaron Crow (23:29.827) Yeah. Aaron Crow (23:35.075) Yeah. Aaron Crow (23:45.731) Yeah. Brian Proctor (23:49.013) And then you throw in COVID and we've lost like a year or two. man, yeah, just so much work to do on every front. Yeah, and we're just excited to be working with the community and really innovative companies. Like that's also another challenge is really finding leaders who want to embrace AI and innovation. Because I think when you look out there, cybersecurity like, Aaron Crow (23:52.824) Yep. Brian Proctor (24:18.077) like I'm paranoid as hell, like we have healthy paranoia, like we're pessimistic people, like people say AI, like even my own CTO who's an AI, like I'm no AI expert, he is, I start questioning like, like, let me see, like, like what's really going on here. And actually, Aaron, which is really cool, in our product, I had to build this feature. We have this, basically a CLI that our AI agent types out exactly what it's doing and why they're why sire. It's so so we call her she why sire is doing what she's doing because I I need to know if I was on the other side buying this piece of software. I would be like, well, well, how did the AI come up this? Why did it pick this path or this TTP and and when you give evidence, we call it evidentiary AI when you give this evidence around what your AI is doing. you then can really start showing people, hey, this is the reasoning. It's not some smoke and mirrors type of thing. This is what the agent is doing. And so I think we talked about this earlier too. I actually think, especially in critical infrastructure, security people and security teams could be one of the, or definitely not the first business units that adopts AI. because of kind of just the way the paranoia and everything else that that's just part of who we are. Like I can see operational people. I mean, look at legal accounting, finance. those people, they're probably already using AI to be quite honest, Aaron. Or at least, yeah. And I think, yeah, I think leaders at large enterprises are looking like how can we use AI to Aaron Crow (26:00.078) Yeah. All right, most of them, yeah. Brian Proctor (26:14.762) gain capabilities, to gain efficiencies, and just speed things up. And I think the OT security space is so right for this type of. Aaron Crow (26:26.262) It is, you and you're right and it's hard to find and it's hard to be innovative or at least I've seen it be hard. it's really not because you and I both were innovative in our roles as an asset owner. It does take some gumption, I guess you could say. You know, again, both of us really started this before there were OT products or tools or really before they even called it OT, right? Like we weren't doing this. Brian Proctor (26:51.305) Yeah. Aaron Crow (26:52.534) And they didn't call it OT cybersecurity. that wasn't even a term until well after we started this process, right? But some of this is the need for innovation. And when I say innovation, that scares people, especially in OT. OT is very much a, we've done it this way for 40 years. I'm not gonna change it. If it ain't broke, don't fix it. My dad worked in this industry. He was an INC controls guy for 40 something years. So he worked at plants and he was a, Brian Proctor (27:20.219) It's still at that same mindset. Aaron Crow (27:21.452) you know, I see guy, you know, the lead control system engineer, that kind of thing at some of these power plants. And then he grew into, you know, leadership and all that kind of stuff. And he led a team that managed them all. same thing, like he still says it, like he still kind of dabbles in this space, even though he's retired. They still have that same mindset. And they're, we struggle with, you know, being innovative doesn't necessarily mean being bleeding edge. You know, obviously in IT, the risks are different, but just because I'm in OT doesn't mean I can't take some new different directions and do things differently or think about things outside of the box. What I love to say and think about is like, it doesn't mean like, instead of saying, no, I can't say how could I? Like what would have to happen for me to feel comfortable to do this? So using your tool as an example, what would I have to do? Which is why you guys did it the way you did. Well, I don't want my day to go in the cloud. Okay, check. Brian Proctor (28:12.092) Yeah. Aaron Crow (28:17.934) I want to understand what commands it's doing. It's like doing calculus. I need to see the work. I don't want to just see an answer. I want to see how you got there. Okay, check. I want to understand. I want it all on-prem. I don't want my data going outside of my environment. All of these things are concerns. You can find a way to be both of those things, to be cautious, to be careful, to be intentional about what I'm doing in my space. Brian Proctor (28:22.169) Okay. Aaron Crow (28:47.458) But that doesn't mean that I can't think about things and do things different than, we've always done it this way. I freaking hate that response. Well, we've never had an attack. I've been at this plant for 40 years and it's never been hacked. Okay, right? You don't change your oil for 10 years and you've never blown a motor until you do. And eventually it's gonna blow up. And then what? Now you're sitting here, right? Brian Proctor (29:05.499) Yeah, yeah, yeah, yeah, totally, totally. I mean, all those, all those things you talk about, yeah, those are common things we've heard for, for for so long. think the good news is that, yeah, I want to say our generation, because we're kind of like the newer generation of kind of OTS cyber professionals. I think, yeah, a lot of that is changing, which is good, but of course, there's still remnants of kind of the first generation of folks like that. Yeah, we at Frey Nos have this saying and we have a logo says forged by OT for OT because we work there. Yeah, our product is all on-prem hacking. You can run on a laptop, which is this cool. Like we understand like whether it's regulation, you can't have certain data sets in the cloud or heck, I just don't like the cloud, right? Like I want to control the destiny of my data. Like if I'm a security professional and I have a choice of giving some vendor all my configs, all my vulnerabilities and asset data or me controlling it, I'm gonna say I rather control it. That's kinda giving someone pretty much a map of what could be possible. whether it's Frenos or whether it's Palo Alto Networks, it doesn't matter. That's sensitive information and everyone can get hacked. We know this, a lot of companies do. So yeah, we... We try to build a platform that really is kind of checking all the standard OT boxes, right? Of on-prem, you control your data, it doesn't go to the cloud. Heck, if you want to run our platform in the cloud, sure, go ahead. You have your own private cloud, awesome. But yeah, that's really critical because those are the common like... Brian Proctor (31:14.692) all say when you go into like sales calls or talking with teams, these are the common questions. And then with AI too, like now there's obviously a set of questions with AI, like what models are you using, right? There's all these, you know, emerging AI security checklists and we're actually training our own model, which is right, a unique kind of thing to some companies, some companies who are I mean, we talked about this earlier, like sometimes just try to build a wrapper to chat to BT or Claude and you're just sending your data up there. This is like, we know as security practitioners, like that's not going to fly. Most enterprises don't even want to do stuff like that. Have their data go up to those kind of a public AI models. So yeah, building a product that's unique for OT that's OT focused. and really kind of meeting the challenges of what exists today, which kind of going into the next challenge, what we feel like too is scaling visibility. I think this is probably a good time to maybe announce that here in a couple of weeks, we're at FreyNOS announcing what we're calling a tech enabled rapid visibility service. So, After our experience as Frenos, and by the way, for people who don't know, like the first six employees at Frenos, have over 100 years of actual OT cyber experience. besides maybe Dragos, they have way more employees than us, but we've got a ton of OT cyber experience. But we understand that getting visibility everywhere to hundreds or thousands of sites takes a lot of time, takes a lot of effort. And we've come up with a way to use technology to basically create blueprints and templates of sites. So people don't necessarily need to scan every site, don't necessarily need to put a passive sensor at every site or don't need to do a manual walk down at every site. Most companies, whether you're building a power plant, Brian Proctor (33:36.889) like from some EPC or like some OEM, right? Like you've been to many power plants, like if it's Emerson, even the IP addresses are the same. Like they're all the same. Yeah, yeah, it's cookie cutter everywhere, right? And Sammy, you look at obviously where utility backgrounds like substations, there's substation design standards where they literally say, you will use this relay. Aaron Crow (33:48.152) Same name, same IP address, everything. Brian Proctor (34:04.784) this model and here all the wire, you know, line diagram, wire diagrams where, where, where they're all plugged in, right? So like everything is cookie cutter, which actually from a, like, from a simulation and, and, and, blueprinting and template standpoint makes things a lot easier because when you go to one side or you have a sensor that's already at a site and then you could copy that. and then we're just pulling kind of networking firewall. configurations, we can start then building these kind of virtual representations of sites without you actually needing to put any technology out there or sending people out there. And so they're sampling best practices from FERC and NERC where, you're getting audited, right, they don't look at every site, they do sampling. And that's the approach in the service that we're offering is we believe, and we're partnering. with service organizations like yours, Aaron, that can go out to these sites, perform a walk down and use tech and or use technologies to get a complete visibility picture. And then we can bring this data back into our platform, start kind of building these representations of all their sites, if it's hundreds, if it's thousands. and then start scaling these assessments very, quickly. Cause our goal is literally to do literally hundreds or thousands of assessments every year. And I would argue that that many companies aren't doing more than a handful per year. Like we, we, we talked to the major players and the average time it takes to do an OT assessment, especially if hire someone externally, that's like three, four months. I mean, cause there's contracting, there's report writing, there's the actual work, there's this and that. And then the costs are Aaron Crow (35:54.595) Yep. Brian Proctor (35:58.572) are a lot too. When you look at these bigger players who have all these sites, like it literally would take them decades if they tried to all these sites in tens of millions of dollars. So we can. Aaron Crow (36:09.964) And by the time they, by the time they get a quarter of the way through, it's time to redo the ones that they started at. Cause like how frequently do you need to do these things? As we know, these environments don't stay static vulnerabilities change, attack paths change. Like all these things change so frequently. It's, it's you're, you're in a losing battle. Like I had a client, a while back in this O T space that reached out and, and they had a big, and you mentioned it earlier about patching. and they, they were a large manufacturer. They, they built, Brian Proctor (36:13.616) Yeah Brian Proctor (36:34.714) Thank you. Aaron Crow (36:39.662) It doesn't matter. They built stuff, but their manufacturing was so large. They had 80,000 OT devices in a space and they were all things that needed patching. So they knew that they were, like, how do you keep up with 80,000 devices that need to be patched? That unlike IT, I'm not gonna just automatically push patches to these environments because it could break shit, right? So they basically came to us with like, Brian Proctor (36:41.616) Okay. Brian Proctor (36:51.85) Right. Aaron Crow (37:07.01) This doesn't make sense. How can we do this? How can we keep up with this? They needed help to understand where the important things are. Like if I had to spend one moment, an hour of time, where is that? Where should I spend that hour time? Which device? Which is the most risky? Which is the most, you know, return on my investment for reducing my risk and improving my security posture, all that kind of stuff. And that's what you guys are doing way beyond just the patching side, you know, on the attack, attack vulnerability side. But that's the whole point is Brian Proctor (37:23.916) Thank Brian Proctor (37:27.919) So, if you're interested in doing a review on this, I'd to take a note on that. Aaron Crow (37:36.108) You take all of this mass amount of data and it doesn't matter if you're a big company or a small company. If you've got one side or 50, it's still about because there is no silver bullet of a product that you can put out there that's going to solve all your problems and remove all risk from your environment. Like we know that that's not that's not a surprise. Like I've had vendors that get pissed off when I say that. I love them all. I love firewalls. I love all these different things and they're all needed. Scrum on access, all the things, but I can't. Brian Proctor (37:56.921) Right. Aaron Crow (38:04.282) There's not one of them I can do and just say, okay, we're done. We don't have to do cyber anymore. Like we checked the box. That place is secure. Like that's never going to happen. So we have to be able to adjust and look at it and know I need to be able look at this thing on some regular cadence and know that my risks are going to change. My business changes. The impact of my business is going to change. My suppliers change. Like so many factors change. Why would we think that we can just do a Brian Proctor (38:22.567) Yeah. Aaron Crow (38:31.83) an annual tabletop, an annual assessment, or a biannual assessment at 5 % of our plants, and that's good enough. And so many companies are doing that, and I don't think it's because that's what they want to do. I think it's more because they don't have another thing they can do. They don't know what else to do because they don't have millions of dollars or tens of millions of dollars to do all this internally or do this on a more regular cadence. So they just do what they know is they're trying. They're doing the best they can with the resources they have. Brian Proctor (38:50.67) All this entire layer. Aaron Crow (39:00.664) But this is what excites me about this type of offering is you can move that ball further without having to go do an individual walk down of 10,000 sites every year. Because how many people would it take to go do an annual assessment of 10,000 sites every year or every even two years? It's damn near impossible. There aren't enough people to do it with the skill sets that are needed to do that kind of Brian Proctor (39:19.538) Right. Right. Right. And that's why if you look at the metrics to like Sans does this and Jason Christopher leads this great annual survey, if you look at like what type of OTE assessment people are doing, like some crazy percent, like 70 odd percent, 80 percent is like paper assessments. Well, how thorough is a paper assessment? Like that's a joke. Like like. You know, going back to your story of, yeah, you've got like, you know, 80,000 vulnerabilities. Like, yeah, you might have, you know, there's some organizations with hundreds of thousands. I would even argue more, but if the firewalls close, the services and running, like there's environmental context that matters. Like just because you might have the vulnerability on a device or it's applicable somewhere in, in the environment. Is it really exploitable? That's what we're really getting to, Aaron, is saying like, okay, great, like Heartbleed 3.0 comes out and there's fire alarms and you've got it everywhere, but what's actually exposed, right? Like which devices actually have the conditions to make it exploitable? That's what we're not doing in the industry at all for OTs. like, we're doing, you we know the make and model, this make and model has 30 vulnerabilities and the CVSS score is freaking 10 for half of them. crap, this is bad. Well, guess what? Your firewall is blocking all of it. Why do you even care? There's services and running. Why do you even care? Like there's no environmental context. And so that's what we're trying to help people understand is when these celebrity vulnerabilities come up, like, does it matter? what's like, I know like when I was at utility, Aaron Crow (40:55.342) Correct. Yeah. Brian Proctor (41:12.781) Right? I remember these things happen. It's like, what's our response plan? The executive wants to know how bad is this, especially in OT. And dude, it would literally take months, if not years, to figure this out. Like, how bad is this? And same with threat actors now, right? Volt Typhoon, right? You're seeing all these typhoon people, groups from China come out and all these threat actors. It's like, well, Volt Typhoon targeted us. like what sites or what areas would be more prone to maybe they be more successful in, right? And so now we can, since we understand their TTPs and tactics, because they are human at the end of the day, right? They are people. Normally they have the same tactics they use across their targets. We can start simulating this at scale and say, oh, Volt Typhoon did target us. we probably wanna do these three or four things. And so if we can start doing that and helping people with understanding their response to these big threats, to these celebrity vulnerabilities, I think that's really pushing us in the right direction because right now I just feel the community is just kind of stuck in the mud with just noise. Like the first generation tools provided a ton of data, but now let's just kind of drive a lot of that. action and value and that's where we're, I mean, it's not just us. Like there's some other great, you know, second generation OTTools out there too. But yeah. Aaron Crow (42:47.79) 100%. that's, that's the key that you just hit, hit on the head there. Right. And I want to double click on it, right. All of these tools are great. Like having visibility again, I was doing this back in what 2010, 2012 or whatever, we were rolling out, you know, visibility tools and I was grabbing stuff from four scout, but not that was before they bought silent defense. Like that was, you know, I was, I was grabbing counteract and throwing it in, in, in OT spaces and what's up gold. you know, uh, know, uh, WSUS for patching and, know, and I was rolling out Palo Alto firewalls and, and, you know, we were doing full packet capture on through a gigamon and, you know, we had data deduplication and like, I was doing all this corporate stuff because I came from an enterprise. also had IOT experience, but I brought all that IT knowledge and I implemented an OTSpace, but I had to it really carefully for obvious reasons. Cause I didn't want to break a network and, and all the things, but. Brian Proctor (43:39.584) Dude, I'm not kidding you. I heard about you. I didn't know it you behind it. I was at Forescout and they're talking about the company you worked with and they're like, yeah, they're using basically NAC and like RIT product and OT. I'm like, wait. Like who's doing that? And then later I found out it you. I'm like, oh, this makes total sense, man. Yeah, that's great. Because actually, actually, NAC has a great use case in OT. It actually makes a lot of sense. You can get it to work. Aaron Crow (43:58.542) But I mean, and that, and that was like, yeah, 100%. Yeah. And, know, and people are so scared of active and, you, you for good reason, like we have to be careful in these spaces. But, know, again, I was doing active in, in OT and critical infrastructure and power generation with Turbine Control Systems and all the things more than a decade ago. Brian Proctor (44:13.835) Yeah. Aaron Crow (44:25.87) And again, not even with OT aware protocols, like they didn't know they were not OT products. They didn't know anything about OT. They didn't know DMP3. They didn't know ether IP. They didn't know profinet. They didn't know any of that stuff. I was just doing generic IT monitoring across with a knack, right? And, and, but the point is, is that, you know, even after we were, you know, I was probably leading edge. I like to say that I think we were probably some of the most leading edge. I think that architecture. Brian Proctor (44:36.363) Thank you. Aaron Crow (44:53.024) even though it was implemented more than a decade ago, is probably still one of the most advanced architectures in OT space that exists. We were doing packet capture. We were getting monitoring off of every switch, two packets or two span sessions off every single switch and capturing the entire network and keeping all the packets for the entire network for 90 days. So I could replay packets and see everything East West, everything, every packet on the entire network. I had a copy of it. Brian Proctor (45:10.603) Wow Was that like net witness I mean RSA was in that space Okay, nice and sick Aaron Crow (45:19.754) It was a net net VCR. Yeah, it was a net VCR. So we had that. And then we had, you know, again, we had Splunk. I implemented Splunk way back then. And we had our own segmented OT network, had secure mode access. I had change detection. You know, I had all of these really, you know, our own active directory forests and, you know, patching systems. We're using WhatsApp gold for availability and SNMP monitoring. And, you know, again, I was just using things that were available in the in the IT space. Brian Proctor (45:37.163) Okay. Aaron Crow (45:49.186) But even with that, like I had a team of six and you know, we had, you know, some contractors that worked with us too, but we supported 48 power plants. over three years, roughly three years, it took us to roll all of that out, you know, actually deploy it. But I didn't have anybody back at the office, like getting the ROI out of it, right? Like taking the, what, like we talked about this. I think we talked about it before we started recording, but you know, all this asset visibility, all of this. Brian Proctor (46:08.913) This stuff. Aaron Crow (46:16.576) all screw about access, all that kind of stuff. It's the so what like I get all the stuff to Splunk. Then what? Like what am I looking for? How do I show value? How do I show ROI? And when I pushed this stuff way back then, I wasn't pushing cybersecurity. When I went to the businesses and I was pitching this, it was like I can improve visibility in your environment. I can make your environment more reliable. I can tell you when problems happen. I can troubleshoot them faster and I can get them back up faster. And that's what it ended up being. And my team was first response. Brian Proctor (46:36.107) Oh yeah. Right. How many times do they reach out to you? How many times do they reach out to you? Like we've got a problem over here. Can you give us the, vendor wants like a PCAP. Aaron Crow (46:45.592) for a network outage. We weren't worried about China. I never told a single plant manager that China or bad nation state attackers were coming after us. Never once. Like that was not my use case. Aaron Crow (47:02.775) all the time. Brian Proctor (47:03.834) Like a PCAP. dude, happened to me all the time. And then you're like, thank God. Like you've deployed your technology because this is helping us. Yeah. Maintain reliability and help improve it. So that's the, that's the thing with OTC. If you're not talking what the business cares about, like, your business cases, your projects, they're never going to get funded. There's gotta be value from an OT perspective from, from like an you know, safety, reliability, availability perspective, because if you're not doing it, it's going to be tough. Aaron Crow (47:33.986) Yep. It is. again, like cyber is a, is a cost center. We know that like usually when I'm bolting on these cyber tools, the plant manager doesn't care about them. And when I say that, I say this a lot, but what I mean by that is that it doesn't improve their process. doesn't make them more reliable, just a cyber alone tool. Yes, I'm, stopping an attack. I'm reducing my risk, all that kind of stuff. Those are all truth, but, sometimes it comes down to I've got a dollar to spend. Do I spend that dollar on? Brian Proctor (47:42.186) Yeah. Brian Proctor (47:51.956) And you Brian Proctor (48:00.613) Thank you. Aaron Crow (48:07.394) you know, boiler, you know, boiler feed pump maintenance, or do I spend it on a cyber tool? The plant manager would rather spend it on the boiler feed pump because he knows good and well that thing is going to fail and cause an outage if he doesn't do that work, right? And if I have to choose one or the other, I'm going to choose that every time. Cause I know good and well that is going to fail in six months if I don't do something, or it's at least going to degrade its performance over that six months. So I'm going to make less. Brian Proctor (48:07.738) Right. work. Aaron Crow (48:31.042) I'm gonna be less efficient over that time and then I'm gonna have to kick it down the road for a little bit longer and make less profit on the thing. So that's a direct correlation to bottom line, to people's bonuses, to availability, to safety, all the types of things. You can't tie a cyber program directly to ROI and safety and reliability. So we've gotta start thinking outside of the box and that's what I love about products like what you're talking about. Brian Proctor (48:55.34) What you're talking about. Aaron Crow (48:57.676) Right? As you can do this at a bigger scale without having to have to staff up a hundred people to roll it out across these environments. And you're getting a huge ROI on this because you're able to say, I don't care about the noise of 80,000 vulnerabilities. Go fix these four. If you go fix these four, the rest of them don't matter. Not that they don't matter, but you don't have to worry about them today. Right. Brian Proctor (49:14.108) Yeah. And then trend and then trend that over time, like stuffs improving. That's another huge problem for OT programs is like, are things getting better or worse? Is your like, is your posture getting better or worse? I think right now we don't, know, Dale has this big thing about metrics, you know, every year he's like, what's the best metric, which is, you know, it's a good question. I mean, I think metrics in the whole cybersecurity space has been tough, but if we can start trending over time, like you have less attack paths, probable attack paths, less TTPs and reducing this, like then your security posture is getting better. Or if you're opening up a bunch of firewall rules, letting everything in, you got all these vulnerabilities, like more vulnerabilities, more devices that are just terrible. Well, stuff's probably then going to go down. So having that way to show your management and your executives things are getting better or things are getting worse, that matters. Cause right now I think people are looking at like alerts and alarms and or vulnerabilities, which is like just a complete BS type of metric just because you have no control over researchers finding new vulnerabilities. You have no control over. Hey, my solution provider came out with a hundred new detections this month. And so now we have these huge spike of detections because we're detecting all these new things that we previously weren't detecting. Like it has no relevance on is your posture getting better or worse. And that's what we're trying to do is like, dude, sniff tests, are things getting better or are getting worse? Are your activities actually, are your activities that you're doing and you're focused on actually matter? Yeah. So that's. That's what, when I led my team, it was just really hard to do was figure out kinda what actually matters. Because there's there's so much to do, right? There's so much data, there's so much priorities from all different angles. And so really focusing and honing people. And one other key thing too, man, is having new technology, there's always this question as to how do you operationalize it? Brian Proctor (51:31.793) Right? Like, it, is it going to take an army of team or do I need like a, a senior person who knows how you like, you need to be senior to run a tool. That's a big thing for cybersecurity teams. When I ran a team, it's like, we're looking at new technology, but guess what? You need like a freaking advanced pen tester to run this tool. Well, I've got one on my team and, and you know, he or she's doing running, you know, 10 other tools like. Like we've got to have tools that are just like simple and easy and obviously use automation to fix things or we're not fixing things. We're not like, hey, change your font role rules patch, but we can, you our vision is a lot of people have, you know, ServiceNow ticketing tools. have Soars, Swimlanes of the world and everything like this. We can integrate with those types of technologies and have. you know, a man or women in the loop and say, yeah, this looks good. Like, let's make sense. Let's make a change. Because obviously, know, T people are very, very scared and want to make sure you know, you do the right change. So that's where we think like, like we're like we're going and, having a tool that, that doesn't require an army to operationalize for, for companies. Cause look, there's, there's a big movement too in all of cybersecurity, like reduce the amount of tools, right? Reduce the amount of tools that people have. We think, yeah, we think with simply either uploading data or connecting through APIs with the data that you already have, with the tools you already have, that's kind of easy when you don't need, you don't need a senior OT expert to be able to like run and understand kind of what's happening, so, which is nice. Aaron Crow (52:57.997) Yeah. Aaron Crow (53:21.464) Well, and as an advisor, advisory consulting, that kind of thing, why I'm excited to partner and work with you guys. obviously we have the AI tabletop thing that we already offer to our customers and you guys have a partnership there and an integration there. So that's just another enhancement on how do I do more with less, right? So how do I get more value out of an effort? The old school boring tabletop that's static and doesn't have any actual data feeds or anything like that. Our AI tabletop is way better than that. And then you add on the attack path and the output from y'all's tool as well into that. So when it's doing those tabletop exercises, it's using what it knows about your environment to show the attack path and what the potential bad actors can do and how they would do it. And then you can say, okay, how would like... Brian Proctor (54:00.39) I'm using what it knows about. Aaron Crow (54:16.46) this is how my environment is. Let's pretend I can't fix it today. How could I go about defending against that? Where are the places that would bring down the dominoes of my environment and start having that way again, it's all about prioritization. If I've got a thousand and every OT place we've ever been to, they all have a thousand or more problems. Okay, they can't fix them all tomorrow. So if I had to fix one, Which is the first one? Okay. And then what's the second one? And then what's the third one? And then what's the fourth one? Like that's what somebody needs. An action plan that says, I used to be a hundred pounds more heavier than I am now and I lost a bunch of weight, right? If you're trying to lose weight, you don't think about, you're not worried about all the different, or fad diets and all the different things. What is something I can do today that can make me better than yesterday? I'm going to get off my butt. I'm going to stand. I'm going to drink water. I'm going to, you know, I'm going to do. you know, start implementing good actions, right? Small things. Yeah, exactly, right? I'm going to implement these things. And then you build your program up better. As you start knocking out the higher risk things, then your posture drastically increases very quickly. And then, you know, you could start tagging on the smaller things and you just do those things over time. But the things that don't matter as much, you push them out and do the things that do matter. And that's the value add I love. Brian Proctor (55:09.087) It's a good demo. Aaron Crow (55:34.03) the value proposition for that product, especially those integrations with our tabletop and how that really enhances an offering of knowing where you're at, where do need to focus my time? And that ROI is just exponential. And it all goes back to numbers, right? Every OT person, CISO, C-suite executive is looking for what did I get by this time, effort, money, product that I just deployed and having the ability to show that and real subjective Brian Proctor (55:57.734) Yeah. Dude, Tabletops, yeah, we're excited about our Tabletop partnership. And yeah, I mean, you've been part of them. Yeah, there's just like, okay, some scenario, if you can bring real threat actors with, you Aaron Crow (56:03.15) or fact-based data points and where it came from and showing the work, like you said, that's priceless for most leadership, Brian Proctor (56:27.616) your real kind of sites and networks and assets that you run that are applicable to your environment, you're making your tabletop exercise, you know, I'd say 10 X more valuable because just like, okay, this could really happen. Like this is real, right? And then and in running through this scenario and working through it. Yeah, we're we're we think the tabletop OT tabletop kind of space is also ready for some innovation and changes there as well. Aaron Crow (56:39.33) Yep. Right. Aaron Crow (56:58.71) Awesome, man. So I asked this question to everybody. I know we've talked about a lot of that, so you may double click on some of the things we've already brought up, but over the next five to 10 years, what's maybe one thing that you see come up over the horizon that's exciting and maybe one thing that could be concerning that we need to make sure that we focus on or that our practitioners are considering? Brian Proctor (57:12.709) because of the great topic. with our content with the center. Yeah, I think I know someone's already said this in the pod, hopefully not. But I think I think AI for both, right? I mean, look, AI is changing, changing our world so, so quickly. And and I think for the good. But what scares me in 10 years is I actually had a conversation two days ago with the CISO of Anthropic. It was an unbelievable. conversation. And I mean, AI is is is I actually just saw a report actually that talked about adoption of AI compared to the adoption of the internet. And it took it took the US 23 years for 90 % of the of the US to adopt the internet. It took I want to say it was three years for 90 % of the US to adopt AI. I mean, there's a lot of reasons because people have phones now and computers and everything else, but the adoption of technology and the speed that AI is moving at is 100 % exciting. I think everyone was kind of iffy, especially security people, everyone was a little pessimistic about AI. Is it really gonna be as good as we think? I think it's kind of shifting and people are realizing like, this is here to stay. There's some huge value adds and benefits here. So it's definitely here to stay. And then of course, the scary part, mean, yeah, Skynet and all that. mean, let's be honest, but these AI models are freaking, are getting good. Like we're doing benchmarking of AI models. Brian Proctor (59:06.212) We have some really cool partnerships with people who do a lot of the questions for all the security certs, like all the technical ones, and we're actually benchmarking our model compared to other models. And dude, like these models are in anywhere from 70 % to like 90 % getting all, like pen testing, offensive stuff, CISSP, like... they're passing these at crazy high rates. So yeah, and then obviously you put your cyber security hat on and you're like, wow, if somehow if malware starts adopting AI and starts morphing, like it can get, you can go down a dark, dark hole. And that definitely scares me. And I honestly think that as defenders, you need to be embracing AI because the offensive people and the threat actors and adversaries, they are already doing it. And if you're not thinking about it, you're gonna be, you're gonna be a lot worse position than if you really just embraced it overall. I'm not saying send all your data to some public chat thing or open model, but you really need to be thinking about how you can Aaron Crow (01:00:09.71) Yep. Aaron Crow (01:00:21.742) Sure. Brian Proctor (01:00:30.211) leverage AI to boost up your defenses because at the of the day, yeah, it's gonna be like up to you to build your defenses against these various threats. yeah, love AI, hate AI. There's gonna be so much innovation. I'm so excited to just be, start a company in the OT cyberspace. that's really adopting and in being AI native because it's just gonna get better and better. And like, I see demos from my development team, like every week and let's like the improvements. Like, I mean, like our own developers are coding like so much faster to coming up with features cause they're using AI to code, right? And it's just, it's absolutely incredible. It excites me. And yeah, yeah, I just... Aaron Crow (01:01:16.951) Of Brian Proctor (01:01:25.731) It's gonna be, I think it's gonna be a really cool next decade for sure. Aaron Crow (01:01:31.286) It is and I agree with you 100 % like AI is the exciting part, but it's also the terrifying part. To me, it's more like the script kiddies of the, you know, when the internet first existed or even before the internet, when people were, you know, know, freaking and calling, you know, using, you know, modems, things like that. You didn't have to have a lot of technologic, technological knowledge. You could just copy and paste and those attacks were valid, right? But when you, when you look at AI now, because we had Brian Proctor (01:01:37.347) it. Brian Proctor (01:01:47.746) this question. Please, get me out of those attacks. Brian Proctor (01:01:59.074) And now. Aaron Crow (01:02:00.942) before that, you know, we put on so many controls, firewalls, et cetera. A lot of that stuff just got blocked and it wasn't really a risk unless you were stupid enough to put your OT device on the internet and then you got what you deserved. But you know, these devices are open protocol. They're not encrypted by design, all that kind of stuff, right? But you know, with AI, I don't have to be an OT expert to be able to understand protocols. I can say, hey, there's a Brian Proctor (01:02:04.898) It's. Aaron Crow (01:02:30.894) PLC that's this thing, I'd take a picture of it, and then AI will tell me what the hell it is, what products it runs, what protocols it runs, what vulnerabilities it has, and then probably even help me write malware to go after that thing with having zero knowledge, just with me asking a prompt. can it do it 100 % today? No, but it's pretty close, and it's just getting better every single day. So the bad actors don't give a crap about your policies or procedures. They don't care about Brian Proctor (01:02:35.851) Yeah. Aaron Crow (01:02:59.66) you know, using AI or the cloud or any of that type of stuff, they're going to do whatever they can. you know, I continue to hear multiple things from why would anybody want to attack us? We're too small. Nobody would care about us to, you know, this has never happened. We've never been hacked in 40 years. Why would we start now? Right. So both of those are just very short-sighted and very obtuse in that they just don't understand most of these. They're not all just nation state attackers that are, Brian Proctor (01:03:04.53) Okay. Aaron Crow (01:03:27.47) China and North Korea and those kinds of things that are trying to attack American companies or UK or NATO type companies. Some of them are just people trying to get money and they want ransomware and they want to lock down a machine and get you to pay them a ransom. It could be $500, it could be $1,000, it could be $10,000, it could be million dollars. They don't care. Whatever the asset is, they don't care what it is as long as they can lock it up or take it offline and continue to take it offline until you pay them. Brian Proctor (01:03:32.661) Yeah. Aaron Crow (01:03:53.94) it's just a target opportunity and it's a target rich environment because we know this O.T. space is, to your point earlier, we're in the infancy stage of securing this space, which means that by definition, that means we're not super mature in this space. So that means that there's a lot of vulnerabilities and a lot of target rich environment for bad actors to take advantage of in the space. And we know that, right? And we're behind the eight ball on resources. We have a skills gap. Brian Proctor (01:04:01.505) Okay. Aaron Crow (01:04:23.554) you know, resources gap, like all this type of stuff. And we're super slow to adopt technology and OT and adjust changes. Like I remember it was super hard to even get a firewall implemented at these spaces because they didn't understand it. Virtualization was outside of their scope and they didn't want to do it. Like all secure mode access? No, I'll just plug in a wire directly in when somebody needs it. Like that's the type of, and these are not, this wasn't 50 years ago. This was like five years ago. This was a few years ago, right? These are, These are common problems that we know are. Yeah, exactly. Brian Proctor (01:04:52.116) Last last week Well, well after hearing this yeah, we don't want to depress everyone about the OTE space or be very weird, but this is, you're right. Another hot take I will have is I think vulnerability management is going to not disappear, but it's gonna not matter as much because the reality is AI is gonna find zero days at speeds that no researcher or human could ever do. And there's always gonna be bugs and vulnerabilities. So then it's gonna be about, not about, Can we patch everything as fast as possible? It's gonna be like, what about the other controls that we have in place, right? Like, can we recover? Can we do this and that? So yeah, it's gonna be wild. So yeah, I appreciate you having me on, Doug, man. Aaron Crow (01:05:42.274) Yep. 100 % agree. So, so what, yeah, man, what, what's the call to action? How can people find out more about, you guys, see you guys speak all the things. know y'all have a lot going on. Brian Proctor (01:05:56.809) Yeah, obviously our website frenos.io. Yeah, we're speaking. We'll be at Black Cat and Defcon and B-Sides. We're actually flying on our whole company. I've read it out. A huge Airbnb for our whole company is going to be awesome. So we will be out there. But find us on LinkedIn as well. check out our. This is a plug for Frenos Fire Fridays. really cool kind of TikTok like videos that we release every, every Friday. Love like, you know, 20, 30 second videos giving hot takes for the OT cyber community. Aaron, need you to record one for us, but yeah, check those out. Those are fun. We've had, we've had Robin Lee, we've got Patrick Miller doing one. We've had Vivek who works for me, who works for Freitas. I'm coming out with one, we've got Daniel Johnson from Nozomi Network. So yeah, we've had a bunch of people do them, it's fun. Just gives people different perspectives and hot takes on what kind of opinions are at that time. So it's something that I like doing. I just like to give alternative views of kind of people's opinions and thoughts. So check that out as well. Aaron Crow (01:07:21.304) Yeah, absolutely man. I for sure will. So y'all, everybody check that out. I put all those links in the show notes down below. Happy to do one of those videos with you guys as well. Obviously this space is important to me, but yeah, definitely check it out guys. Innovation doesn't have to be risky and there are good ways and great ways to do this. And this is an example of one of those that's a really... Brian Proctor (01:07:32.927) This is a positive thing, but yeah, definitely taking up. Aaron Crow (01:07:46.434) great way to do this without breaking the bank. thank you for that, Brian. Thanks for coming on. I appreciate the time today and digging into some of this stuff. We've been around the block a few times and the gray in my beard kind of showcases that, it's not going away and we're not going away. So let's just keep pushing forward and definitely reach out to Brian and his team. Happy, sure, to talk everybody through in detail what it would look like. Brian Proctor (01:08:07.852) All right, take care. Cheers. Aaron Crow (01:08:12.478) and look at these new types of technologies and use them in your space to help reduce the risk and increase the safety in our spaces. So thanks for your time, man. can't wait to, I'll see you in Vegas for sure. And I'm sure probably other places as well, man. Thanks for time, buddy.
Previous Episode

Other Episodes

Episode 38

December 30, 2024 00:22:56
Episode Cover

How to Protect Yourself and Loved Ones from Cyber Scams

In this episode, host Aaron Crow delves into the increasingly sophisticated world of cyber scams that aim to steal money and identity. Discussing real-life...

Listen

Episode 11

June 10, 2024 00:52:31
Episode Cover

Cybersecurity and Safety Risks of Modern Vehicles: Understanding Vulnerabilities and Solutions with Kevin Walter

In this episode, host Aaron Crow interviews Kevin Walter, an expert in vehicle security, about the growing cybersecurity and safety risks in modern vehicles....

Listen

Episode 15

July 08, 2024 01:03:13
Episode Cover

Navigating Cybersecurity in OT: Challenges, Tools, and AI Integration with Joseph Perry

In this episode, Aaron Crow and special guest Joseph Perry dive deeply into the evolving landscape of cybersecurity. The episode explores the integration of...

Listen