Episode Transcript
[00:00:00] Speaker A: You're listening to Protect it all, where.
[00:00:02] Speaker B: Aaron Crowe expands the conversation beyond just.
[00:00:05] Speaker A: OT delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crow.
Hey, welcome to the Protected all podcast. I'm very excited to have my friend Dan on the call here today. Dan, why don't you introduce yourself, tell us who you are and a little bit about your background and history.
[00:00:29] Speaker B: Sure. I'm Dan Ricci. I'm the founder of the ICS Advisory Project.
I am also a senior consultant with Ampex Cyber and also I've done a lot of independent cybersecurity consulting. My background in cyber security really started in the Navy. I was in the Navy for 21 years, both enlisted and officer, was a warrant officer and I learned most of my skill set in instant response, vulnerability management, threat intelligence analysis, and offensive cyber operations. During that time frame.
After I retired, I worked for one of the big four doing consulting and then after that I transitioned back doing defense contracting work, doing cyber risk assessments and building automation systems, meaning power distribution. Also some water treatment as well. I pivoted back doing a role that was more senior information security officer role, establishing a Cyber Security maturity model certification, CMMC more tied to the NIST 800171 cybersecurity standards for a company called Frequentis Defense. And they manufactured embedded voice gateways.
So I got a lot of experience doing product security as well, understanding how that relationship between the customers and cyber security works. Also got my hands really deep involved in supply chain risk management because of most of their customers that we were selling to were either in the DoD or US government. So really heavily involved in risk management framework as well. So that was a good experience.
I transitioned from there working for short stint with Sensaber doing the research director position till their demise. And then I transitioned into a role at INL Idaho National Labs. And during that time frame over the year I led the Cyber Shield program which was focused on cybersecurity for renewables.
I wrote the the Malcolm Deployment Guide for Solar Power Generation with, with the Malcolm team while I was there. I thought that was a, a good contribution to the community since it hadn't existed previously to kind of show where you would deploy that guide into the, into a power generation system. So.
And you know, I found that it was time for me to go out on my own. I finally like decided to like break off and I had an opportunity to go work for Patrick Miller at Apex and I just went off and did that full time since this December I transitioned. So really excited in this new role that I'm in. I feel that now in this new role, I have the capability to assist a broader group of clients in the energy sector, also in other critical infrastructure sectors, having that flexibility again, Vice, you know, the constraints of being with an organization kind of, I wouldn't say muzzles you, but definitely limits on how you communicate a little bit.
[00:04:18] Speaker A: 100%, you know, being prior big four, obviously, if you know me, you could probably tell. You can look at my LinkedIn and say who that is. And I loved my time with the big four. There's a lot of benefits. It opens a lot of doors. Having that, you know, behind my, my title, you know, I'm with XYZ company. But to your point, I would never be able to have this podcast. Like I, I would have to get everything ran through legal and, and for obvious reasons. It's not because they're bad. It's because there's high standards and SEC requirements and all these things that go into it that have nothing to do with cybersecurity. It has everything to do with. Because they're an accounting firm and they, they do, you know, SEC audits and, you know, if you don't know what we're talking about, take a look at Enron in the past and Arthur Andersen. And that's kind of the big scandal that really forced all of these regulations and requirements upon these big four consultancies. And not just the big four, but any SEC auditor that's, that's, that's auditing the books of publicly traded companies. There are requirements for all their employees to have these, you know, continuing education hours and they go through your finances with a fine tooth comb like which not to get political, but that's the whole thing that boggles my mind that our Congress and senators can invest in whatever they want. But me as a, as a cybersecurity person at a big four consulting firm, I couldn't buy individual stocks because it was against the law and they'd fire me for it and I'd be fined. Like. So we figured out how to do it. It's just, we don't implement it for everyone. It's just the lowly people like me and you that are impacted by it. But anyways, I diverged down a path. Tell us about, really quick. Tell us. First of all, I love Patrick Miller. He's one of my favorite people. Love, love all that you guys do.
But definitely tell me a little bit about you. Kind of breezed over it. But tell us about the ICS advisory, like what is that? And if you haven't seen it, the link will be in show notes. But let's talk about that a little bit. And it's more than just a pretty dashboard. So talk us through why'd you create it, what is it and what, you know, the kind of life cycle of it.
[00:06:26] Speaker B: Yeah, absolutely. So the ICS advisory project was born out of my experience of doing cyber risk assessments both during my time with Deloitte and also when I went and was doing cyber risk assessments within the DoD and realizing that the way organizations tracked vulnerabilities was inconsistent. And I thought it was pretty burdensome for, for organizations, especially small organizations where you'll have maybe like one or two people that are trying to track vulnerabilities and that exists all over the place. And I realized that, you know, well, CISA was doing a great job, you know, documenting, you know, existing ICS specific vulnerabilities and providing a good report. But the report was done in, it was a HTML report obviously website. Not everyone always goes and visit websites. But also they also had to, you know, sift through the different advisors themselves and read through them. And I thought, well, maybe we can make a way to filter this and make it really easy for them to find. You know, I only care about these vendors, I only care about these products, you know, and I want to understand, you know, where these products are, are manufactured or who are their headquarters located at. I want to understand, you know, the, the CVSS score the severity of it and start to break it down as I go. Well, I could take that, you know, that information that was in previously in HTML format. Now it's in JSON through the C staff format that they do. But. Net. But provide it in a way that, and visualize it so they can quickly find what they are looking for. Right. Like I mentioned with the VE and products then start to prioritize it visually and then create a means where they can export it, you know, as like a CSV format. Because you know, a lot of small medium sized organizations are working with you know, CSVs and Excel documents still. So lowest common denominator. Right.
Because they're, because they're, they, these small companies don't have, you know, developers, they don't have a team to like, you know, build tools and they don't have the time time either. So I thought I have, I can make time to do this and I can create a dashboard that could start to help them. So that was really the genesis of all and it went through iterations. I mean I was building like the earliest forms of the ICS Vice dashboards in like you know, pivot tables and slicers and you know, charts and graphs and Excel and then building them out that way and then like sharing them with people and saying and getting their input like on, do you think this is useful? I mean what do you think about this? You know and when I was doing assessments at, in the dod, I would create like a lead behind document or a lead behind Excel with, with a dashboard pivot table of all like you know, applicable CV CVEs for their, you know, for their products and leave that behind. I was going, I said well this is just a snapshot in time. I really need to build, you know, something that is updated and maintained. And that's, that's kind of where it came from on that, that's where it came from.
Around 2020 and 2021 I started looking at like what platform I was going to put it on, how I wanted to build it. And you know, obviously, you know, everyone, a lot of people use Elastic and use Cabana to build dashboards but I didn't want to pay, pay a significant amount of money or even a monthly fee for something that I was going to give up for free. So I discovered that you know, Google Data Studio, which is now go to local studio, was available and free and I could build dashboards and provide them publicly. So I was like, okay, I'm going to do this. And that's where, that's why I went this direction. And you know, could someone easily have done this in like, you know, Microsoft Power bi? Yeah, absolutely. I built my first dashboards that were similar to the ICS Advisor product dashboards in Power BI for internal use within the organization.
So I mean building it, building this public platform was really meant to kind of save a small, medium sized asset owner the pain and hassle to you know, build and maintain this and give them a tool that they could just easily prioritize their vulnerabilities and start planning action and milestones towards mitigations. And that's another really important point about you know, the society survivors. They make the best attempt towards providing a, a list of mitigations towards addressing the vulnerabilities where I think CVEs, you know, they're great for like on here's the, here's the threat, here's the problem, but really doesn't talk about the solution unless, unless you like dig in and like go, go into looking at the vendor's website where at least like CIS is making a really good effort to summarize it. Well, CISA and Idaho National Labs, I can't really leave Idaho National Labs in there because they really support and develop the advisories themselves and then CISA turns them around and puts them out. But this is like really important for you know, those asset owners to, you know, not, you know, sit there and you don't want to sit there and pontificate about the vulnerability itself. You know, you want to take action. Unless if you're looking at, from an OT engineer or, or asset respective.
They don't want to marvel at the problem. They want to fix the problem and move on and maintain their operational availability and integrity of their systems. That's what they want to do and they don't want.
So whereas like, you know, most of the tools out there that are built, they're built from a, they're built by cyber security professionals.
[00:12:32] Speaker A: Correct?
[00:12:33] Speaker B: You know, we are, but they, they're built towards that audience, you know what I mean? And they're built towards that user.
I tried to like cut the difference in my dashboards where they can also, they can help that audience, a cyber security analyst, but they could also help an asset owner in starting to do their address vulnerabilities. You know, that's, that's, that was my thought process here.
[00:12:57] Speaker A: Yeah.
[00:12:58] Speaker B: And I think that was. And that's where I continue to like look at where I can make improvements, maybe make new dashboards that kind of help them identify like more rapidly identify the, the vulnerability severity, you know, how severe it is or whether this, either if they're going to have to patch it now, later or never, you know, and that's pretty much been the method, methodology, methodology for you know, OT vulnerability management. Right. Because you're in an environment that you can't just simply patch, you know, there's, there's a whole process to doing any sort of vulnerability patch management in an OT environment because the, the, the risk to operational availability is so much higher than your IT environment, you know, 100%. Right. So we, and that's, that's, those were all these things that were in the back of my mind thinking about and when I go and try and develop a dashboard.
[00:14:04] Speaker A: Well, I think you hit on so much there, right? Is, is you saw a need, you saw a gap, you saw something that you could provide value. And I want to get, I want to come back to that in a minute because I'm seeing your, your shadow box behind you and I want to. About that transition that you made as well. But, but you, you hit on something that's really important and, and most tools in this OT space are built for the cyber people again. So you and I, you know, I, I also, you know, hard hats up there. Like I, I came from an operational background as well, working in power plants, not just as the technology and cyber guy, but working outages. You know, I, I wasn't an operator but I was directly supporting operators. So I have a better understanding than some in just the cyber background. Right. So to your point, the operator, and especially at small and medium sized organizations, a lot of times that operator is the one that has dual hats. They're wearing the operator hard hat and make. Their primary responsibility is to make sure that the thing works, the process works, the plan is up and running, the manufacturer, they're sending widgets, whatever they're producing or doing, safe, available, reliable, etc. There's secondary tertiary, maybe even fourth, fifth or sixth responsibility down the list is cyber security. Right. It's a, if I have time and I've done all the other things on my list. Oh yeah, I also have to do these other things that are cyber related. So we, we have all these things. And, and when you say what you said this minute ago, we don't just always patch, right? You take a cyber person out of an IT world and give them, and drop them in an OT space and say, hey, I've got Windows XP and I'm not going to remove it and I'm not going to patch it. Their heads explode. Like, what do you mean?
I know I sound like a broken record to the audience that's heard me talk about this, but it's, I really want to beat that in. And there's other ways. Like you can mitigate risk in a lot of different ways and in ot we mitigate things in it. Of course you would patch it, you'd kick off a Windows XP machine, you'd never let it on your network. There's just no reason for it. But in an OT world, that's just not the case. So there's a lot of other ways that I'm going to, in fact, many times I'm going to say I'm not going to patch that because I'm a afraid it's going to break and I'd rather put a different mitigation, turn off services, put in an additional firewall like restrict access to physically being in person. Like there's a lot of different things that you can do in this OT space that mitigates Those things. But to your point, and what I love about your dashboard is yes, it offers mitigation options, which is what CVEs do, right? They do tell you some things that, hey, I can, you know, cvss, it tells you my risk. But I'm also, there is some mitigations on if you apply this patch, you'll fix this or if you disable rdp, right. If it's an RDP thing and I can't patch it, just turn off RDP and then I don't have to worry about it anymore. Right.
But to an operator, it's more about prioritizing and really truly understanding their risks and being able to make an informed decision of. And it's not always if or when. A lot of times it's when can this wait until my next outage? Can this wait until the vendors on site to support this? So I have them install it on their equipment so if it breaks, they're here to fix it. Because a lot of times that's what happens is they're these, these small entities depend upon their vendors. And when I say vendors, I'm usually talking about the big control vendors, the Rockwells, the Emersons, the Foxboroughs, the Toshiba's, the Schneider, like all that type of stuff. They're depending on those vendors to be the subject matter experts in these spaces. And they're usually uncomfortable making changes to those environments because a lot of times they don't have the ability to change it or if do change it, they're afraid that the vendor is no longer going to support it and say you changed it, you broke it, it's yours, good luck. And they're not willing to do that. So the risk to your point is far higher to patch it than it is to leave it unpatched because they know if they patch it and it breaks their, their post. Whereas if they leave it alone, more than likely the risk of the probability that a hacker is going to get that far in and all these other things are going to happen in a perfect storm is lower than the almost guaranteed risk that if they break it, they bought it.
[00:18:20] Speaker B: On the flip side, absolutely hit on everything. Everything that we all we've encountered in the real world. When you're like presenting like the list of vulnerabilities that you identified and, and seeing their reaction to like, yeah, that's, we're not doing that. It's like, and you just kind of, and you know, the, the part of it is you, you accept what they're saying and then you propose Like a list of compensating controls to address it. So. Okay, that's fine. Learn to live with these risks. These are the compensating controls you're going to implement and you're going to include a playbook for instant response when something does happen. Because it's not a matter of if, it's a matter of when. So have, have a plan in place.
I'm very much becoming a mindset. I mean I, I have become, have the mindset now that you just got to deal with it. You're right. Cyber security and risk are just part of the game and bad things happen. And having a plan to address a plethora of different cybersecurity incidents is, is better than not having one.
And, and, and that way you can kind of like live, you can, you can function within your organization to be prepared to address cybersecurity vulnerabilities and threats in, to your environment. I mean it's, that's so generic how I said that. But you know what, what, what I'm trying to say is, is I think they're instead of like, you know, the fud, right, have, have a plan and there's plenty of already written playbooks out there for addressing, you know, known cybersecurity vulnerabilities and, and, and preparing against threats that it's not, it's, it's not so much hard for the organization to do. What's hard is making the time to do it.
And like.
Yeah, and your point was resonated so much to me about, you know, the dual hat, the guy that's dual hatted that, you know, he's got a plethora of jobs of the DO already and you know, cyber security is like number four in his list. Right?
[00:20:47] Speaker A: Yeah.
[00:20:48] Speaker B: So I mean we as a community, what can we do to kind of like help them do that and how can we make it easy for them? So you know, we're, we live in the United States. We're very much a for profit. We're a capitalist country and everything is for profit. We really want to try and like help the community out as much as possible. And you know, I think consolidating and providing those resources and you know, pointing those smaller organizations to their resources is probably the best thing that we can ever do to like improve, you know, the smaller asset owners that are critical parts of our, of our critical infrastructure. Because a lot of times they're the ones that are main suppliers within our overall supply chain itself in the United States. You know, even, especially when it comes to manufacturing, right? You have, I saw this when I was working with Toyota and you know, Toyota was, I mean, I know they're not necessarily purely, I wouldn't consider them critical infrastructure per se, but they're a major manufacturer that could have a major impact to, to a large group of customers. But anyways, they, they obviously they use local suppliers within the, near their plants, you know, to you know, provide components and you know, it's not like their cybersecurity, you know, requirements flow down to, you know, those suppliers because we saw that like when you know, Bashuko was had a ransomware attack that affected and shut down operations for Toyota themselves.
And that was a few years ago. So I mean the same thing can happen from, from a defense supply chain perspective, right? And it's part of the reason why, you know, CMMC was established to you know, hold like contractors and also the subcontractors accountable to some cyber security standard because there are supply chain risk to, you know, to the overall defense of the United States and the capability and our cap defense capabilities. So I, I think, you know, trying to help those smaller organizations is, is really critical for us to you know, maintain larger organizations cyber security that directly impacts the United States. And I think this happens around the, this happens around the world as well.
[00:23:23] Speaker A: Well, you know what, what I love about again, it's like I told you, it's, it's the reason I started this podcast. It's the reason that you know, I, I mentor people and talk to people that are looking for jobs and how do I get into OT or how do I do this? Right? It's because to your point, and we, I think we said this before we started recording but you know, I, you and I only have so much time. I, I can only have direct impact on so many people and processes and technologies and programs and companies, right. I, I'm a consultant so I, I travel and I, I've had my hands on a lot of different OT programs across big and small from the largest country to probably, you know, some of the smaller ones in the country and kind of everything in between for manufacturing etc. But I can't personally design and, and implement OT cyber security across them all. They're just too vast.
But how can we impact and level up the playing field? Because at the end of the day you said something also important is I live in, I live in America overall. I live on, on Earth. I want the power to work in, in my country and I, and I want, whether it's in a small town or a big Town. And, you know, same thing with our allies, you know, whether they're on a different continent, you know, the things that we do here. What I love about power utility and a lot of these critical, you know, the 17 critical infrastructures is they don't really compete with each other. Right. So they're very open to sharing lessons learned. What's working well for them, what didn't work well for them, all those types of things. So when I get two CISOs from two different power utilities, name whatever ones you want, they have no problem saying, hey, this is the OT program that we're doing. This is the technology that we're doing. These are the attacks that we've gotten recently, like, all that type of stuff, because when they share, you know, rising tides raise all ships, they all get better. I've even seen a lot of the, the larger power utilities that are kind of helping their, you know, little brother or sister or whatever the heck you want to call them, the local municipalities, you know, because you look at a Duke Energy and they've got huge programs and, and teams of people and, you know, all this type of stuff. But you look at a regional municipality and we get back to the, you know, wearing multiple hats. They don't have an OT cyber staff, they don't have an OT sock. They're not hiring EY or Deloitte or PwC because they can't afford it.
But that doesn't mean they're not valuable. Like, no, a chain's only as strong as its weakest link. So if we look at critical infrastructure across our country, yes, Toyota, like you talked about, Toyota's got a big, great program, but what about the smaller players? Again, Toyota's not critical infrastructure, but the analogy works. What about a smaller, you know, a smaller one that is, you know, building 10 cars a year, you know, or the, the wastewater, the water. Municipalities are a great example of a critical infrastructure in our country that is struggling with budget, it's struggling with knowing where to start, is struggling with resources and technology and all the things. And. And we do have some great programs in our country to help, but I find a lot of times that sometimes they're just sitting and they know that there's a bunch to do, and they're just overwhelmed with, where do I start?
We haven't done anything. I don't have an OT cybersecurity person. I can't hire an ey, I can't hire a fancy consulting company. Where can I start? Which is what I love about things. Like, again, this podcast, but Your ICS advisory project. Someone could take that and say, I have this control system, I have these devices, I have these things. And narrow down the list of infinite numbers of advisories that are available to just these are the ones that are really just us. And then be able to prioritize that to say, this is my critical site. These are the systems that it has. These are the ones that are CBSs score 10. Let's focus on those first.
[00:27:20] Speaker B: Yeah, absolutely. Yeah. And while you're saying that, I remember the word altruistic. We don't always have the altruistic motivations to help these organizations, but we should. I think a lot of us can help out a lot and I think there's a lot of people in our community that do help, right? Oh yeah. And there are a lot of resources. I think it's just, I don't know if we always get and communicate to the right group of people. We're really good at communicating with each other within the cybersecurity community. But going to like the same, like cybersecurity conferences, great networking, great to see everyone, but we don't always touch all the other asset owners that truly need to help because one, they can't afford to attend the conference themselves. I think the efforts that are being done through the B side conferences are really great and I think those are a great way for, you know, those smaller organizations to have opportunity to interact with a lot of fantastic cyber security professionals because those are, are smaller and they're usually within, across the United States, different cities and the world. I think those are really, really great opportunities for, for asset owners and engineers Go to, but also go start going to the. I think cyber security professionals need to start going to those conferences that are very specific to those, those critical infrastructure communities that they're trying to help. Right. And you know, if you want to help people in hydro, you go to Clean Currents. You know, if you're going to go to, if you're going to go to, you know, anything in the electrical sector, you go to Grid Secon. You know, it's just, it really depends. I mean find, find the sector that you're trying to help and then go to that conference as a cyber security professional advice. You know, going to the same cyber security conference that you go to annually and go talk to these groups, you know, submit a paper and you know, present there. I'll guarantee you're going to have some really good conversations that are different than, you know, the same conversations that you're going to have at, you know, other Conferences, I think that's. I think that's where we can be. And maybe there are a lot more people doing this, but for me, I. I have found going to those other conferences, way more recording.
[00:29:38] Speaker A: Sure.
[00:29:39] Speaker B: And the conversations have been more focused on how I could apply my skill set and helping them by, you know, talking about, you know, the state of the community or state of the cyber security community. That's what I mean.
[00:29:56] Speaker A: Right. Yeah, but. But you, you know, there's something to that as well. Like, again, I want to continue to toot that horn of, you know, the advisory program, like you, you legitimately built. Built something because you saw that, you believed that it could help the greater community. Now, not everybody has a, you know, that exact idea, but I believe no matter where you are, whether you're brand new, you're a year in, I think we all have, you know, ideas and benefits that can. That can level up depending on your level of experience and expertise. But, you know, if you're trying to break in, like, I've had a lot of conversations with people that are trying to get an ot cyber security or cyber security in general, like, find something, build something. Right. And showcase it. You know, we do this in development. Like, we see this with GitLabs and GitHub and things like that, right. As they build something and they share it and then they grow it and it turns into something. That's really where I see an opportunity for people. If you're trying to build something, you know, or you're trying to get into something, build something, find a niche, that. That is a gap. And it doesn't have to be, you know, a full product. It can just be something. Can again, podcasts like I'm doing, you can presentations at conferences, the ISIS Advisor project that you. You've done, like, there's a number of things that we can do to give back to the community. And the really cool thing about it is, is that people know you because of it. You build a brand, you build some. Some credibility, and it helps you from a. You're not selling that thing, but that thing opens doors because. Oh, yeah, you're the guy that does the podcast. Oh, yeah, you're the guy that has the ICS advisory project. Like, I know you because of that. And that opens doors. Just like I mentioned before, you know, working at EY open doors because I had that name behind me. But I also having this podcast open stores, like, having cool conversations with people like you. Because the other thing about our network and this, the cyber thing that you just Talked about right. Is it is a pretty small environment and small network.
Most of us know each other. It's really easy to say, I, I would not recommend Aaron because he's a jerk. Or yeah, I, I've talked to Aaron and, and you know, he is who he. This, the person that you see on the podcast or on social media. It's the same guy you'll have go have a beer with in Tampa. Right? It's the same person. Like those are the types of connections and it's such a small world. Like that's how you break into this. You know, I had a mentor tell me a long time ago, all businesses, the people business. And I say that a lot and, and it, but it's true. Like when you realize that I don't care if you're the sales guy, the CEO, the, the technical person, you have to be able to have these interpersonal connections to build trust so that way you can move beyond. Because if we don't trust each other, then we're not gonna work together. Whatever you tell me, I'm gonna take with a grain of salt or sand, whatever. But once I trust you and I know who you are beyond just, you know, you sent me an email and said, hey, try out my thing. Once I see who you are and I trust that then I'm gonna going to mean more to me than just, oh, I randomly found the ICS Advisory Project, but I don't know what it is or what, what the value is. I don't know how much, how much stock I'm going to put into it. Right?
[00:33:03] Speaker B: Absolutely. Yeah. Yeah. And I, I think it takes time, right? It does. It's not something that happens overnight, you know, and it's, it definitely took a while for the ICS Advisory Project. The like, you know, build, build up itself and become like, you know, a recognized capability that's used within the community. But you know, you know, that was also the thing that I thought it was like, well, I'm gonna build this and I don't know if it's gonna get used or not, but I think it's gonna be, I think it's cool. And I think I'll just build it anyways and see what happens, you know.
[00:33:40] Speaker A: Yeah.
[00:33:41] Speaker B: And then, you know, over time I, you know, you figure out ways to like, draw attention. I mean, I built, built pretty much ICS advisor project through, through LinkedIn and building the connections there. And then, you know, it caught the attention of, of Deal Peterson and, and other people that are really big in our community and it started drawing attention to it and then over time, you know, I've had other conversations. I think my first webinar I ever did did about the ICS Riser project was with Nozomi. You know, Daniel Jablonski was very kind to invite me on to discuss it. It wasn't my best, you know, webinar because it was the first time I ever did but you know, it was, it was the opportunity to talk about it, you know, and there's, and after that I've had other conversations with, with, with other, with other groups through Unhacked Planet and other other podcasts. But I mean these are been all great opportunities.
Just like talking to you, Aaron. This is a fantastic opportunity to really kind of share the project and, and discuss how it can help the community and everything like that. But also, you know, having these conversations and talking about like, you know, our experience, shared experiences, lessons learned from working with the larger consulting firms and you know, the challenges that you encounter with being able to help, help the greater community when you're kind of like, you know, you're stuck doing professional services or staff augmentation only helping that one client can feel stifling.
So and it over time it doesn't feel like you're really developing your skill set more than just like helping this same client do the same thing over and over again when, you know there's other groups that, you know, other, other, other clients are asset owners that you could really be helping. So like your PO and having the, having these discussions is really helpful to those asset owners that might not that don't have the opportunity to attend the conferences and they can sit here and you listen and learn and you know, decide whether, you know, hey, I liked what that guest said on your show on Protect it all and understand, you know, how that that person project or you know, website or services might be helpful to, to their organization.
[00:36:09] Speaker A: Exactly right. It's finding that niche and finding, you know, what, what do I as a person and my skill set bring to the greater community and how do I double tap on that and expand on it, right. And, and showcase it so that a people can find it. I can show value and, and that's how you grow. Like that's my career, you know, over, over the last, you know, more than two decades has been growing and learning like getting a role that I'm not quite qualified for and learning on the job. Right. You know, hey, by the way, Tag, you're it. You're now this OT cyber guy before OT existed and anybody called it that it was like, you're the OT cyber guy. Like I don't even know what that means, but okay, right. But it was because I was A, willing to say, yeah, put me in coach, and B, I was willing to put my ego aside and ask questions because I didn't know what I was doing. You know, I've been in a power utility a lot of my career, but not from that perspective. You know, I was in a different role. So now I'm learning all this stuff and a lot of people in OT are doing that now. Right. And, or, you know, maybe again going back to your, the shadow box on your wall. Like maybe you're transitioning out of military or you're changing careers from, you know, one job to another. You were a lawyer or whatever the thing is, and you're wanting to get into cyber security. This is how you do do it. Right? You know, you see all these stories about all these requirements and degrees and 10 years experience for an entry level job. That's just what HR says.
None of the jobs I've ever gotten, almost any of the job. I can't think of a job where I actually just went to a website, applied for a job and got the interview and then got the job. Almost every job I ever got was because I had a connection. Hey, Dan. It works for Patrick. Hey Dan. Are you guys hiring? Would you introduce me to Patrick so I can talk to him? And, and he's got a job opening that I'd be interested in. Right? It's that. And then you say, hey, Patrick, I know Aaron, I was just on his podcast. I think he'd be a good fit for this role that you have. Why don't you give him a shout? Right? That's how these things work. Going to the conferences, going to the networking things, being on stage. Even if the first time you do it, you're not very good. Like that's okay because it's, it's at bats, right? It's getting up and, and, and, and not hitting the home run, getting up and getting thrown out, striking out, all those type of things until you get better at it. Right? Yeah, it's really easy in my career where I focus 100 on technology and being the best firewall engineer or active directory person or exchange or whatever the role or the job that I was in, I was always, I wanted to be the smartest in that role. And I got to a place in my career and I read a book and it's called, you know what got you here? Won't get you there. And it literally means that, you know, and you see it all the time, where your top performer in a technology role, especially an engineer or whatever, they're their best person, and you, you promote them to a manager or a leadership position, and they struggle because they're, they're not, they haven't focused on honing those skills. And it is a different skill set. Just like it's a different skill set to be an operator of a power plant and be an OT cyber security person at a power plant. Even though you're dealing with the same technology perspectives, it's a different focus. So I can work. Some people can wear those hats and do them well, but it's all about learning and being willing to ask those questions and, and reach across the, the horn. So for you, transitioning into all these things that you did in your career, all the way back from being in the Navy, coming into the civilian world, going down international labs, like all the things that you talked about, talk about some of that, the lessons learned and maybe even some of the struggles had along the way in your career to get where you are today.
[00:39:58] Speaker B: Oh, yeah. I mean, the whole thing that I was thinking about as you're going through that, going through, you know, talking about the transition and things like that, the. I think, I think a lot of people, the hardest thing to accept is, like, risk.
Life is about risk, and you have to take risk and you have to go do things that you're not comfortable doing because you'll never grow. That is the heart. That. And, you know, I didn't get that when I was a kid, because I was a very shy, emotional kid when I was growing up. I had a very, I had a very. I didn't have, not have a great childhood. Wow. Everyone. Everyone. Not everyone had a great childhood. You get in line. So I'm not like, it's not a, it's not a, this is not a pity party here. Right. But, you know, when I, I, I took that, I, I took, I took the leap to join the Navy because that was so far from who I was as a person.
Because, you know, I wanted to make us. I just wanted to change. I wanted, I needed a big change to get in my life and my environment, and I needed to, you know, move away from where I was at because I knew I was never going to see the world where I was heading in my life, and I needed to take that risk. You know, life is about risk, and we have to take risk, and you can't be afraid of risk. I Joined. When I decided to join the Navy, you know, that was, that was a great unknown. And you know, for me, you know, that was a risk, you know, because obviously you could go to boot camp and fail.
But I, I, I did as best I could to prepare. I went to boot camp during boot camp, you know, I failed my first PT test. Wow. You know, who does, who doesn't when you're like, I wasn't fresh out of high school school. You know, I joined the Navy three years after I graduated from high school and, you know, did the grind, you know, working on the trucking docks in Chicago, loading trucks, you know, not, not having a college education.
Worked part time as a, at a record store. Loved music at the time. So that was like the fun job. But, you know, working six, seven days a week was a bit of a grind. So I joined the Navy. I thought, I know I was interested in the intelligence field, so I had, at least I had idea what job I wanted to do in the Navy and actually ended up going to the intelligence community, but not as an intel analyst. I ended up going into the communication side. But, you know, all that, you know, it was just kind of like accepting those changes because all this was like a bunch of unknowns, right? You have to be comfortable with all those unknowns and then you're going to go in and you're going to have like, all sorts of like impostor syndrome and everything like that. But all that, you know, uncomfortable feelings, you learn to like, live with that. So, you know, as I went through like, you know, boot camp, you know, the schooling I had to go through because I had to go through a school called Job Oriented Basic Skills because I didn't have a fantastic ASVAB score. My, I hadn't been in school for three years. I wasn't a great student in, in high school.
So, you know, but I went and, you know, I learned and did the best I can. I did really good that. Then went to a school and I just kept on, you know, I had really good mentors in the Navy and I embraced that. I didn't shy away. I literally grew up, you know, during those first, like four, three, four years in the Navy, you know, I, I had to like, and I had some really good mentors. Did I have, but did I have ups and downs? Yes. And then I decided like, hey, you know, I met, I had another leader. She was an air crewman. And I thought, you know, I should, I, I think I would like being a naval air crewman. So I went to Naval Air. I decided to get myself in shape, became a really avid runner swimmer and I went to Naval Air Crewman Cannon School in Pensacola and I made it through, through, I went through Sear school, I went through Sear school, I went through all these other, you know, schools that were designed to challenge me and, and grow mentally and emotionally to deal with very difficult situations. And you know, all those things, all those schools and training makes you more, made me more resilient. Right.
I'm not, you know, do I. Does everyone get mad and doesn't always handle things the most professionally and excellent. Yes, absolutely. The schools don't prepare you for those things. They prepare you for the certain situations. But you know, each of those schools though, made me more disciplined and willing to like, take risk, you know, study as best I can because in the military it's a very competitive environment. And through that, through that competition and through, you know, your, your peers and everything like that, and your mentors, they make you stronger, they make you better at, at areas that you wouldn't normally be good at. And like in school, in high school, if you don't grow up in a home that kind of like builds that discipline and instills it in you early on, you're not going to have it. When you just go out into like the regular world unless you, you know, go into the military and, and you may or may not get good mentors. You know, that is a, that is a crapshoot. That is, that is also a risk as well, depending on like the field of, depending on your job field in the military. Because I mean, military is a cross section of, of the United States. Right? People from all over the United States with different backgrounds value ethnicities and, but that's part of the strength of the military because, you know, at the end of the day, you know, everyone's there to get the job done. Right, but I digress, but like, but all the, all that training that I just outlined, even though it wasn't technical training per se, a lot of it was physical and mental. When I went to, when I crossed over from being a communications specialist, being a CTO communication technician operator to being a computer technician network, which is ctn, which are now cyber, their cryptologic technician, or rather cyber technical warfare specialist. Anyways, they changed the rating. Anyways, I digress. But anyways, when I became more of a network analysis guy and I got into cyber, cyber defense and cyber operations, I was more disciplined and more mentally prepared to go through that and get through those schools and actually apply those skills and real world operations that I didn't, that I probably wouldn't have had, you know, early on in my career and it just kind of gradually build. But like I said, the mentors, the people that you keep in your life that are possible positive and uplift you, you, you know, those are the people that you need to, to excel. You know. Are you going to make mistakes? Yeah, absolutely. Did I fail? Did I like have, have issues with like, you know, tests? Subnetting Kick my ass. You know, when I was first, first learning how to subnet, I was not great at. But once I learned it and did it over and over again, I could do, I can do subnetting very well. Reading binary, you know, you know, that was, that took time as well. You know, all that, all that you know is just, you know, you just practice. You work with people that are going to like help you help you overcome those challenges anyways. But you, you get the point. I mean the mill, the military is is, is like a, a great organization to, to get that experience, but there's also, I mean it's, it doesn't all have to be done through the military. You can find that within, within your organization or within this community itself, within the cyber security, the OT cyber security community to help, you know, mentor you towards your goals.
[00:48:21] Speaker A: Yeah, and, and I think that's, that's the piece that I, I love the most. And, and I'm a huge advocate for, you know, veterans and, and, and working with, with people that are, that, that served and, and the main reason that I love, you know, having people on my team and, and that that that come from prior military is, is kind of that, that journey you just said, most of the time they're getting into something, they're taking a risk, they don't know what it's going to be. They, they go through difficult schools and it's, it's more than just mental. It's physical and mental that brings another level of difficulty to things.
It's why you know, today I still, you know, I rock, you know, every day, you know, all the time, all around the world, wherever I'm at. Like I, I do physical things because it makes me show up better mentally, makes me show up better in conversations. Like when you do hard things, you're more used to doing hard things. So when the hard thing approaches you, you've already done a hard thing. It's all, it's not a surprise. So, so having that and, and, and what I, what I love about, you know, obviously in the military, you're not always necessarily going to get a great boss, but it's the same thing in, in the private sector too. Right. What I love about it though, is that you're, you're expecting to work with a mentor and be mentored, you know, and be, be a, a newbie, somebody that doesn't know what's going on and, and, and have that leadership. A lot of times we lack that in the, in the private space. So that doesn't mean that that's your excuse to not get a mentor. That means it's on you to go find somebody and. Yeah, and this, or what I love about this community is there's plenty of us out here that are willing to do that mentorship for others, but you can't just raise your hand, say, hey, mentor me. Like, it's more than that. Like, you need to build relationships with people, make some connections, and you'd be surprised how many people will offer or even, you know, respond and be able, be willing to. Because again, to your point, we said this earlier. We want this thing to grow beyond us. I don't want to be the, you know, the law of the lid. I don't want this thing to be limited to just me. I want this thing to grow beyond me. Like my kids, I've got three kids. I want my kids to be smarter, better, more capable, all the things better than me.
[00:50:31] Speaker B: Yeah.
[00:50:32] Speaker A: I want to, I want them to far succeed me, excel me, beat me in every possible way. That's my job as their, as their, as their dad. It's also my job as a leader, as a, as a boss, as a, as a, as a mentor, as a manager, is to make my staff or the people that work for me or even with me better than, than me in all ways. If I'm the smartest person in the room, I'm in the wrong room.
[00:50:56] Speaker B: Yeah, I get what you're saying. And you know, suspending ego and, and listening and, and is really important. Listening is so important.
[00:51:08] Speaker A: Yeah.
[00:51:10] Speaker B: And also, I mean, I, I think as, as I've gotten older is, is trying to, is to continue learning and being a better listener, which makes you a better communicator, you know, but like, like all the going back to like, you know, taking those risks and like, you know, and getting and making those mistakes and then being willing to take more risk again is, is really important in your life. Right.
Like, I would not have ever considered going to, into naval special warfare and screening for that without. If I didn't go through like, all everything else, because I need to be physically prepared and technically prepared to go into that, into those, into that job. And yeah, if I didn't take those previous risks, I would have not been able to do that. And, and although that's all that experience really prepared me for when I transitioned from the military to, you know, civilian.
[00:52:16] Speaker A: Right.
[00:52:16] Speaker B: Because I wasn't, I wasn't nearly. You know, a lot of people are really coming out of the military, going into the civilian workforce are really, really.
There's a lot of apprehension, you know, because it's a lot of unknowns. But my whole career was, like, going in and like, doing unknowns, you know, especially when I went and got commissioned as a, as a warrant officer and went to sea and learned to drive a cruiser as a, as a conning officer.
Was I scared shitless doing that? Absolutely. Because, I mean, I had, like, you know, I was, you know, the OOD was probably like, maybe like, like 24 years old, and I'm like, you know, 39, almost 40 years old, and I'm like, going, I know how dangerous this is. And you're, you're, don't. I don't know if you grasp how, how dangerous this is, but, you know, you know, a lot of lives are, you know, at risk. So, you know, doing our due diligence, you know, is super important here. We really have to, like. So, I mean, all that basically is just take. Think about the worst experience you had or most scary thing you had when you were in your military career and realize, think about how you address that situation before you're getting ready to transition in the military and realize it's nowhere near as bad as that.
You know, you're just, it's just another challenge in your life and you'll, you'll be fine. You know, think about how you prepared for all those other challenges you had in your military career and treated the same way, and you'll land just fine. Talk to other veterans that have transitioned on the military and talk about, like, their experience. You know, find one that's, Find someone that's been out for the military for a while. Because, you know, most people that retire on the military usually have three to five different jobs before they find the one that's right for them.
Because it's, it's really different.
[00:54:25] Speaker A: Yeah, you go from everybody telling you exactly what to do, when to be, where to eat, how to dress, all the things that I, I was talking to a buddy the other day, and he was literally talking about that. He goes, I. I served 20 something years. I was an MP. He goes, I got out and I literally didn't know. I didn't know how to cut my hair. I didn't know what clothes I should wear. He goes, because I just showed up and they cut my hair. Like, I didn't, I didn't have a style. They just cut my hair. You don't think about how little things like that are in those decisions that are just not part of your conversation. Because you wear a uniform and the uniform is issued to you and you have a certain haircut that you can have and there's regulations and all those things, and you get in the civilian world and it's just like, have fun. I don't care what haircut you have. Like, I've got a beard and I've got, you know, longer hair than I would and, and like, all those things. And that's, that's okay for me. I've got earrings. Like, gosh, oh, my gosh.
[00:55:22] Speaker B: Yeah. I mean, you're, you're now allowed to be an individual and that's okay, right? You're, you're not allowed. You have to, you don't have to conform anymore. And also another thing that's really important is your ranking uniform is not who you are as a person. That's. And that's, that's sometimes hard for some people when they transition out because, you know, they were sergeant major, so, and so, and that's who they were known as. Or they were command Sergeant Major or they were master chief or command master chief or Master Sergeant, you know, depending on the service that you're transitioning out. But that's not who you necessarily are when you get out. I mean, if you're now your first name and what, what you can do for the organization, that's who you are.
[00:56:14] Speaker A: Well, and, and on the civilian side, I see that a lot too, because it's one thing to have a manager title. There's a difference from my perspective between a manager and a leader, Right? I can have a manager title and people that work and directly report to me. That does not mean I've earned their respect and they see me as their leader. They report to me because they have to. But you can be a leader without having the title. Like a lot of, a lot of my career before I was ever an official, having somebody dotted line or direct line report to me, I was seen as a leader. Not because they reported to me, I would be their peer, but they would look to me when the hit the fan, they'd be like, what should we do? Because. Yeah, because you're acting, you're doing something. Let's, whatever Aaron says, let's go do it. Right. Not all the time, of course, but yeah, there are scenarios like that. Right. And so that's my point is you can get the manager title, but you still have to work and earn their respect and earn the right to be their leader.
[00:57:13] Speaker B: And that's Absolutely, absolutely. Yeah. Like a lot of times in the military, by, just because of your rank, you're, you're, you're, you know, you're given certain level of respect, but that's not the same. When you transition out into the civilian workforce. You're, you're not that rank anymore. You know, no one gives, a, what they care about is like, what are you doing for the company? What is your role?
[00:57:43] Speaker A: Right.
[00:57:43] Speaker B: Your responsibilities and fulfill that role. Responsibility. You know, your, your, the respect will be earned. Correct. Over, over time.
[00:57:54] Speaker A: Right, Exactly.
[00:57:55] Speaker B: People, people appreciate what you bring to the table based off of what your results are, your actions will really speak very clearly for that organization.
[00:58:05] Speaker A: Yeah.
[00:58:05] Speaker B: Right. Wrong or indifferent. You know, I've, I've made mistakes. I've said things I probably shouldn't have said that to people, and I've learned that wasn't right. But you know, at the same time though, it happens and you, you, you grow up and you move on. You're always, you're always, you're always learning. Even I'm going to be 50 this year and, you know, I'm learning There's.
[00:58:29] Speaker A: You know, not me. I've never said anything wrong and I've never made any mistakes in my entire career.
[00:58:35] Speaker B: Yeah.
[00:58:35] Speaker A: And if you believe that I have some oceanfront property, Arizona. I'll sell you too.
[00:58:41] Speaker B: Exactly, exactly. Exactly. The thing that I, I, I'm, I'm learning thing that, you know, I have to learn over times is like, things we, and I think this a lot, you know, things that we said and like, did, you know, early on in our life is not necessarily appropriate these days, you know, and that's, I accept that and, but that doesn't define who I am going forward as a person. You know, that's why I think is, is I am, I am learning and, and, and always trying to improve myself 100%.
[00:59:14] Speaker A: I'm, I'm right there behind you. I'm 47, you know, and I continue to grow and learn every day. I'm constantly pushing myself to be better in all areas of my life. In work, in personal, my fitness, you know, my health, my relationship with my wife, my relationship with my kids. Yeah, you Know how I show up at work, you know, the knowledge that I have, the skill sets that I have, like, I'm constantly learning and growing and having conversations like this to make myself better so that tomorrow, you know, you know, there's a, there's an analogy I, I really love, and we can wrap this up. But there's a, there's an actor named Ethan Supply. I don't know if you know who he is, but he used to be the really big actor he was in American History X, the really big overweight, you know, fat guy.
And, and he, he, he changed himself and he lost hundreds of pounds. I think he was like 500 pounds or something at his heaviest. And now he's like 200 something. And he works out all the time, and he's healthy and fit and, and he, he actually had a mentor on a, on a movie, I think it was, or a TV series or something. And, and, and gave him this concept of kill your clump. And the concept is every day at midnight, there is a clone of you, and within. And you have 24 hours to improve yourself. And if you don't, because at midnight, the next night, you fight your clone. And if you haven't improved, then your clone wins, you die, and the clone carries on. So every day you have to improve now. You don't have to, like, reinvent the wheel. You don't have to, you know, run a marathon every day. It's just 1% better every day. Day. But you should do that every single day in some way. Did you read today? Did you improve in your, your relationships? Did you improve in your health? Did you improve in your, your technical knowledge? Like, you can improve in any area of your life, but you have to improve a little bit so that you have a, you can beat your clone the next day. And when you think about it that way, there's no days off. Like, every day I do something. Every day I'm reading, I'm listening to a podcast, I'm journaling, I'm, I'm exercising, I'm, I'm, I'm, you know, having intelligent conversations to be a little bit better than I was yesterday. Because if you're not improving, you're declining. And that's where I don't, I don't really like the idea of retiring in the traditional, you know, work 40 years and get a, get a, get a watch and then go sit in front of the TV and not do anything anymore, because I've seen too many people firsthand that, you know, you hit that cliff and Then you go off the cliff, very steep, deeply. Right. And it's because you're not using your mind, you're not improving. There's no, there's no goal, there's nothing driving you to, to give back. You know, you just talked about the, the ics, you know, advisory project and how you, you built this thing to give back to, to, to be value add to other people. Doesn't mean you have to go out and make millions of dollars. But you're doing something that is keeping you sharp and keeping you vulnerable. Re not vulnerable is the word I'm trying to say. Right? At relevant and value add to the space beyond just you and your immediate family. Which is all great, but what else can you do to continue to drive and keep yourself motivated to wake up and not just sit on the couch? We all have those days where we eat the ice cream and we don't get off the couch. That's okay.
[01:02:35] Speaker B: Yeah.
[01:02:35] Speaker A: Just don't make those every day.
[01:02:37] Speaker B: No, exactly. You need a break. Everyone needs a break. But I mean you can do a little bit each day that's still growing you without like, you know, exhausting yourself too much. Or you can, you can set aside time. I mean, learn a language, learn a second language. Most Americans don't know a second language. Or find some, finding another passion.
Do something that you, that brings you joy. That's important. Because if you do, if you do that, you will grow. You might not realize it, but you are growing.
[01:03:12] Speaker A: And all of those things are directly related. So it's really easy to go get us a technical certification because I want to get into OT cyber and I'm not telling you, you know, listeners, listen to me. If you're trying to get into OT cyber, you absolutely have to have the technical skill sets or you won't get hired. And you also need the softer skills. You need to be able to speak, you need to be able to have conversations, you need to be, to relate to people. All those software skills matter too. So all that to say like, like all these things are beneficial to you becoming a better human for yourself. And it also naturally translates to your employer and your skill set and what you, the value that you provide to the marketplace is improved in all those areas. The better you get in all these areas, the better your outcome comes on all the things that you're doing.
[01:03:59] Speaker B: Absolutely.
[01:04:00] Speaker A: So all that to say my wrap up question is always what in the next five to 10 years, what's one thing that you see coming for the horizon that's making maybe concerning and one thing that's maybe exciting that you see from a maybe cyber security ics, whatever, whatever lens you want to put on it.
[01:04:17] Speaker B: I think one of the few things or one thing that I think is kind of concerning is I think the level of reliance on automation is going to become really, really heavy with leveraging AI ML within cybersecurity and I think there's going to be mistakes made with it because we have a tendency to over rely on technology at certain times until like something bad happens.
I think that's just a given.
I don't think that's anything earth shattering because I think that's just the way we embrace, we are very quick to embrace technology as kind of like a, a, a quick fix, you know, because we are very much an instant gratification society.
[01:05:08] Speaker A: Yeah.
[01:05:09] Speaker B: So I think that's, that's something to be aware of. I think, I think a lot of analytical jobs are going to become very automated and I think cyber security professionals need to be very aware of that and look at areas where they can continue to make themselves valuable to the community.
I think that's going to be something that we are going to have to rapidly take on board and prepare ourselves for.
[01:05:37] Speaker A: Yeah, I agree.
[01:05:39] Speaker B: I think that's something we really seriously need to look at because I, I think they're going to, I think, I think especially with large organizations that can afford to do this will do it. You know, I think a lot of cybersecurity professionals are going to have to like look at where, where, where what's their next passion and where can they bring value to other than what their current job that's probably going to be automated here very soon.
[01:06:06] Speaker A: Yep, 100%. It goes back to that software skills I was just talking about is doing other things in addition to just the technology side. Yeah, 100%. What about the, the positive thing you see?
[01:06:20] Speaker B: Yeah, it's, it's hard looking at the positive things right now. I think, I think we're going to see some really, I think through, through some of the automation, I think supply chain risk might really improve over the next next five years. Yeah, I think we might get a better handle on that.
[01:06:39] Speaker A: Yeah.
[01:06:42] Speaker B: Do I think the, you know, secure by design will be embraced and adopted more so? I think it depends, I think it really depends on accountability, you know, to implement it and whether organization, whether companies, you know, truly if they say that they implement, whether they keep it going and keep it sustained.
I mean we understand why, why where we got to this place. Right. Because there's, we really want to rush, you know, products to the market. And we don't want to spend a lot of time investing in, you know, developing software from scratch where it was easier to just, you know, incorporate, you know, libraries and other dependencies into your software product to get it out the door or advice, you know, designing it all from scratch. I think, I think that's going to be a challenge. I think Secure by Design is great. I think it's going to be expensive and certain companies will definitely adopt it and others will just continue probably going along with it as, as is. I think.
[01:08:05] Speaker A: I don't think it's going to be until they can't.
[01:08:08] Speaker B: Yeah, until they can't. Until some sort of regulatory requirement and fines are hefty enough to, to hold them accountable. But we'll see. You know, it's going to be an interesting ride over the next four years. So that's all I can. I'll just leave it there.
[01:08:23] Speaker A: Yep. 100. All right, so call to action. How do people get a hold of you? Find out more about the ICS Advisory Project. Where where are you going to be speaking, being at all? That kind of good stuff.
[01:08:34] Speaker B: Yeah. So the ICS Advisory Project has a website.
Go to wwicsadvisoryproject.com or you can just do a Google search for ICS advisory project.
It's updated as advisors come out on Monday or on Tuesdays and Thursdays and then you can sign up and get the weekly summaries sent to you and via email through our through the website. I send those out early Monday morning or midnight on Sunday or Monday and you'll get a copy of the Excel file summary of all the advisories I find outside of the CISA ICS Advisory. So even if there's not a CVE associated a lot, some vendors put out advisories anyways and I include those along with the slide deck that I do a summary of all the Advisory Project dashboards for that week and then where I'm going to be where I will be at next conference. I'll be at the Csay Level 0 conference that's coming up here since I'm on the board for that for the words board.
And then I will be at NRECA Cybertech Co Op Conference in Colorado in June. I plan to be running the the the Packet Capture Kit challenge table there for, for Ampex. And that'll be a very exciting thing. We're going to have it set up where there's the four laptops with with different packet capture challenges of OT ICS protocols that you people can then find.
[01:10:28] Speaker A: Awesome.
[01:10:29] Speaker B: Find the, find the specific flag, associate with the challenge. I think that'll be a lot of fun. I we thought it would be a good idea to have something hands on.
[01:10:36] Speaker A: Yeah.
[01:10:37] Speaker B: Because you know, conferences don't always have hands on things like that. So the last one had a really, really awesome table for soldering and building your. Your badge right at, at the last conference and in Crystal City. So this year that's the one I'll be supporting. Other than that, we'll, I'll announce whatever conference I'm going next. I won't be at S4 this year, unfortunately, but next year hopefully.
[01:11:09] Speaker A: Well, that's this point. I always, always like seeing everybody at all these, at these different conferences. But now there's just so many that we can't go to them all. It's impossible. There's just, there's just too many to, to spread that.
[01:11:20] Speaker B: Abso.
[01:11:23] Speaker A: I get it for sure. Well, hey sir, I really appreciate your time. Awesome conversation. A lot of good info. Definitely reach out folks. We'll put all the links in the show notes, so definitely check that out. Reach out to Dan. You know, he has a lot of, a lot of information. Obviously check out ICS Advisory Project. Really cool stuff there. If you are an asset owner, you should definitely be looking at that and narrowing down the advisories that are specific to your environment to help you, you know, communicate the risk and understand and prioritize the risk for your environment on advisories and known releases based upon that stuff. So thanks again for your time today, Sarah. I really appreciate it. Until next time. I'll see you then.
[01:12:03] Speaker B: Likewise. Thank you.
[01:12:04] Speaker A: Aaron, thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field.
[01:12:18] Speaker B: Until next time, it.
