Episode Transcript
[00:00:00] Speaker A: You're listening to Protect it all, where Aaron Crowe expands the conversation beyond just OT delving into the interconnected worlds of IT and OT cybersecurity.
Get ready for essential strategies and insights.
Here's your host, Aaron Crowe.
[00:00:18] Speaker B: Happy New Year, everyone. Welcome back to Protect it all podcast, where we tackle critical issues facing operational technology and informational technology, IT and OT cybersecurity. Obviously there's, there's definitely a spin on critical infrastructure from power utilities to trains, manufacturing, critical manufacturing, hospitals, supply chain, that kind of thing. But also, you know, technology doesn't stop at the plant. It is impacted by the things in the corporate side, the things that are put in the cloud. As, as architectures and organizations change, there's that, that line, that clear line of delineation between IT and OT is blurring. Um, so, you know, yes, I definitely talk about a lot of OT stuff, but have to really make sure that we're talking about more than just, you know, the stuff that's at the plant or the manufacturing facility or on the plane of train, etc. Right. Maritime.
My name is Aaron Crow. This is our first episode of 2025 New Year means new challenges, opportunities and events to look forward to. Today we'll discuss, you know, what's ahead, how you can get involved, and some major OT cybersecurity events and news that should be on your radar. Let's, let's dive in. So kind of what to expect in 2025. Definitely. Doubling down on the mission of the podcast, providing actionable insights for, for OT and IT cybersecurity professionals. We're going to explore, you know, how evolving landscape threats impact critical infrastructure, emerging trends in ot and it's, I don't want to say it, but you know, the convergence word that everybody uses security technologies, you know, from secure mode access to, you know, all the different things, the buzzwords, you know, passive active monitoring, asset management, you know, patch management, all the things that we're needing in this space. And most importantly, how do we build resilience into systems? It's not all about technology. It's people, process and technology.
You can't just buy latest and greatest widget, whether it's a firewall or, you know, any of the other technologies. The, the tools themselves don't, don't solve the problem. You need good people, you need good processes to make sure that those, you know, even a, an inferior product, if implemented well, is better than the greatest product that is not managed and sits on the shelf and doesn't actually get utilized. The tool itself doesn't solve all the problems.
Expect deep dives into real world case studies. Definitely having lots of expert interviews, folks coming on with, you know, expert experience, case studies, vendors with, with solutions and kind of everything in between. And definitely actionable takeaways to level up your cyber security strategy. I look forward to folks reaching out. Who wants to be on the podcast? Maybe you've been on podcast, maybe you're a vendor, maybe you're a asset owner and you want to, you know, kind of get your, your case study or your example out there. Or you know, maybe there's some things that's coming up on the horizon that you want to make sure that, that everybody else in the field, I see this as a team sport and really want to make this a platform where people feel comfortable and come on and learn, grow and expand.
Let's dive into upcoming events and how to get involved. One of the best ways to stay ahead in the field is by getting out there. Networking is huge. Learning and sharing knowledge are great. Going to conferences is a big way to do that. There's so many conferences out there today. I definitely can't list them all. Not even all the ones that I'm going to go to or my team team or, or others are going to be going to. But some of the, the top ones in the industry to mark on your calendar really kicking off is going to be S4 in Tampa. Usually it's in Miami. This year it's in Tampa. Really excited about that. This is a place for advanced discussions on OT security. It's happening in February again, Tampa, Florida. It's a great way to kick off the year. All the OT folks will be out there, the vendors and, and asset owners. It's a big one. And besides ICS is going to be there as well the day before. So again that, that's just a great place that was, you know, very, very low entry cost to get into and it's at the same place and time as S4. So those are a great 1, 2 combo to hit in there. So definitely we'll tag that and Mike Holcomb who's kind of leading that ICS1 and obviously Dale with with S4 and one of my favorite conferences all year long, RSA Conference. Um, obviously that's not a ot cyber security conference. A lot of these are not dedicated to ot. But RSA is a very, very large cybersecurity conference in San Francisco. It's in April, I believe, and it's definitely huge. So many vendors, so many great conversations and talks and speeches and I'M there every year with ICS Village in the sandbox where you can come and touch and we will have kits kind of like the one I have back there. That's an ICS Village kit. You know, we'll have our OT wall. There's a lot of different things that you can actually touch and play and ask questions and you know, there's, there's a lot of opportunity no matter where you're at in your career, whether you're the cyber executive or you're the, you know, guy get guy or gal just first getting into, into cyber, definitely definitely a good one to come to Black Hat and DEFCON in Vegas. Probably you've. If you're in cyber, you've definitely probably heard to heard of it. If you've never been definitely recommend Black Hat is, is more of the, you know, very similar size and, and whatnot to rsa. And defcon is definitely the, you know, engineer Hacker Conference. There's definitely different people at them, but a lot of the folks, you know, kind of bridge both of those. It's a week in Vegas and these, those two events are back to back in August. We're actually, I'll talk about it a little bit later, but we're actually going to be hosting a shooting event in Vegas at a gun range. So definitely check out there. Reach out if you are a cyber executive and or vendor looking to sponsor events and Black Hat Grid seccon. That's a favorite one for me as being a former asset owner. It is, it is around the electrical grid. It is you know, essential event for utility professionals. So if you are a control systems person, you, you work in a power company, you support power industry, you know, nerc, sip, you know, all the different things that come with that. That is definitely a one to get. It's put on by, by one of the ice ax, ICS Atlanta and Houston SEC Con, OT SEC Con. Those are great ones. They're quote unquote regional conferences. I don't really know if that's true. They're both really big. I went to Houston SEC Con this, this year. Great conference. You know the guys that put that on. It really just has turned out to be a. An awesome awesome kind of S4 in the fall, which is, which is really great. You know, lots of insights, lots of good talks, vendors. Again I'm there with ICS Village. I mean I made a lot of these with ICS Village. If you don't know what ICS Village is, definitely look that up.
Thomas Van Norman leads that with, with Bryson Bort and just a great organization to, you know, get information out there. They're actually going to be doing some training this year, having training opportunities.
Definitely, definitely reach out for information if you want to volunteer and, or just, you know, lear OT all right, so lastly is. I kind of teased to it before the Lone Star Cyber Shootout. We're actually doing it in a few weeks, January 16th and 17th at Staccato Ranch just north of Austin. While the shooting days at Staccato, we're actually having a executive dinner on that Thursday night round table conversation at the vineyards at Florence. I'm so excited about this. It's not just about cyber security. It's about building community. One of the, you know, kind of pillars that you'll see through this is networking. There's a lot of knowledge at all of these conferences.
Some of the benefit that you don't always see, you know, on a P L or, you know, an ROI is, you know, the connections that you make and the things that you can learn from others in the field, in the industry. So having the ability to rub shoulders, to ask questions, to get to know these people beyond just what you see on LinkedIn, go shake somebody's hand and actually talk to them, Have a beer, have a coffee, go to lunch. You know, those, those relationships and connections help you build your personal brand. But also when you need help, like, hey, I remember Bob did this thing at his last place or at his current place. Let me go ask him how. What, what do you. What he thought of that. Whether it's asking about a product, whether it's asking about a vulnerability, whether it's asking about, you know, how did he get budget or, or how did he get something approved or him or her, like, it's, it's so over. It can be overlooked, especially coming as an engineer type, you know, technologist who focuses on getting the latest certification and learning the late, latest, you know, skill set. That skill set needs to be considered. Having the ability to build your network, your personal brand to, to again, if you lose your job, if you're looking for a new job, if you're, you know, looking to grow and, and, and get to that next career path or again, technical questions. E. Having that network is, is. Is priceless.
All that to say the, the Lone Star Cyber Shootout is really that. Right? It is networking. It's, it's, you know, doing fun activities together. Yeah. This one happens to be shooting, but, you know, there's a lot more to it than that. Right. It's, you know, again, the, the dinner the night before. There's a lot of networking stuff where we're doing a factory tour where they build firearms. So there's some ot, you know, looking at machinery and, and how they secure that stuff and, and just their. Their overall process. Very, very cool. Definitely don't want to miss out.
All right, so let's move into some of the. Some of the latest events that have been in the news. Not all of these are cyber events. Not all of these are specifically ot, but unfortunately, the news over the holiday season reminds us why our work is so important there. There's just been a lot going on from, you know, the airlines going and, you know, being unavailable during peak times, unable to book, book flights, you know, flights getting canceled. There's been a spike in things targeting airline systems, causing delays, raising concerns about pasture safety.
All of that.
All of these systems are old. They're, they're. They're big. They're. They're complex. It's not as easy as, well, let's just upgrade it. Let's just add a firewall or add a. Whatever thing it is.
It's not that simple. Ot many times is very complicated and it's, you know, antiquated. Is. Is no surprise.
Cell phone provider data breach. I think we've. We've all kind of seen some of this stuff with, you know, even the, The. The. The government coming out and saying, don't use text messaging because it could be compromised using, you know, secure channels like Signal and, you know, WhatsApp and other products really tells us something that, you know, normal text messaging is. Is potentially compromised. Now, obviously, your, you know, text message to your wife saying, hey, grab some. Some milk, is not a big deal, but it's the bigger picture of things. I know I just posted a podcast the other day about, you know, cyber criminals and how they use your information to attack you. And it goes to. That, right, is if they have more information about you, they can use that against you. Having is. Is. Can be dangerous. Again, it's not just your, you know, Social Security number and your pen or, you know, all that. It's just, you know, how do you speak? What do you. How do you normally interact with your loved ones and family and friends that can be used to get you, obviously this. Today is January 2nd on New Year's Eve, there were terrorist attacks in New Orleans.
Not a cyber event, but it just really shows there's a growing concern around, you know, tactics and, you know, terrorist activities. You know, this time it was a. It was a person in a car or a Truck driving over people and you know, had IEDs in his truck. There were multiple other IDs. There's obviously it's fairly new. Not, not trying to get into any of that but you know, there are potential other, other attackers as well. And then there was the cyber truck. Tesla cybertruck explosion in Vegas. Again, not a cyber event, not an OT event even, right? There were fireworks and explosives and gasoline and all that kind of stuff in the bed of the truck and exploded in front of the, you know, the Trump Hotel in Vegas. So there's just a lot going on in the world. It's easy to get distracted, it's easy to get concerned.
This is the time where we need to be diligent around, you know, stay in my lane, focus on what I can control, secure my areas. If I'm working as an asset owner, if I'm, you know, whatever, whatever my focus is focus on the things that you can do. Like look at the small stuff, the details matter. These incidents highlight the importance of not just securing digital systems, but understand the interconnections of physical operations.
I've talked about it before but this goes to you know, security by design, cyber informed insurance, you know, engineering.
I've had conversations around this, I talked about it at defcon in a talk I've talked about a couple of times at conferences. But this really goes to that right? Is, is all these systems are interconnected. I, I can't just work on the cyber side of things. There's the physical, the operations, the safety. All of these things are interconnected and we need to make sure that we're considering all of them when we're looking at, at you know, upgrading, controlling, you know, securing these environments.
So onto a better note or higher note or not so depressing or frustrating note.
If you want to make a difference in 2025, how do you get involved? You know, attend a conference, there's, there's lots of conferences that are, that are in your area. There's B side stuff, there's stuff all over the country. Again like I said, there's way too many that I could list. I just hit some of the big ones. But find one, go, go find, reach out to others. Go to an event, go to you know, the beer isac which is a great organization if you ever heard of, you know, same thing, right? It's a, it's a networking organization. People that have like minded that are wanting to, you know, learn more about cyber security and grow and network all that kind of stuff, right? Find something that you can be Part of learn to grow, grow your network, grow your, your intellect, grow your capabilities, all of those things. Joining the discussion, LinkedIn and, and social platforms, yeah you can use them like Facebook and Instagram, all the kind of on the personal side but, but on, on the business side like use your network for, for your benefit. You know, reach out to me directly, follow the podcast, you know, share your thoughts and experiences has to come on the podcast. I'm always looking for great conversations to have and you don't have to be a 20 year cyber professional to, to have value that you can give back to the community. So please definitely reach out if you have something to talk about, you want to hear a topic again, you want to talk about it specifically, you know, reach out, stay educated, keep up with training, certifications, thought leadership. And it shouldn't, in my opinion should not all just be technical. I think one of the things, again coming from a technical background, one of the things that I always focused on early in my career was the technical stuff. And you know, it got me where I was going. But at some point I needed to have other skill sets and those skill sets become those soft skills, you know, people skills, being able to negotiate. You know, one of my mentors told me, and I've said this probably a hundred times, all businesses of people, business doesn't matter if you're the janitor, the CEO, the engineer. You have to interact with people to be truly successful. You have to sell your ideas, you have to sell your, your, you know, concerns. All of that is, is you're really a salesperson even though you're not, you know, going out and getting commission. You're not going out with a sales quota. You're selling your, even internally in your team to your manager, to your wife, to your kids. You're selling yourself ideas, right? And, and you know, how to win friends and influence people. Another book that, that really ties to this is, you know, what got you here won't get you there. At some point you're going to get whatever you're. If you're the best in the job that you're at, you're, it's going to be hard for you to get to the next place. We see this all the time where you know, the, the best engineer gets promoted to manager and they're not any good at it because they don't have the skill sets. They were great at their job as an engineer, but they're not great as a manager. It's not because they're not capable, it's because they haven't built the skills. And, and being a people manager, a manager of people and processes is different than, than coding. It's different than systems administration or managing a firewall or any of that type of stuff. Right? So know those skill sets and be open to whether it's a 360 review, whether it's, you know, really just looking in the mirror and saying, hey, what things do I suck at? Because those are the things you need to go work on beyond just the technology stuff you need to work on. You know, those, those softer skills as well.
So as we kick off 2025, I want to say thank you for being part of this journey.
This year is all about growth, professionally, personally and as a community. Together we can tackle these challenges ahead and build a more resilient future. If you're attending any conferences I mentioned or any of the others you know or, or are joining for, you know, the Lone Star Cyber Shootout, definitely let me know.
And I'd love to conn.
Stay safe out there. Stay vigilant. Let's make 2025 a year of impact. Until next time, this is Aaron Crowe signing off from the Protect it all podcast. Thanks a lot.
[00:18:38] Speaker A: Thanks for joining us on Protect it all, where we explore the crossroads of IT and OT cybersecurity.
Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next.
