Lessons Learned in OT Security: Regulation, Collaboration, and the Rise of AI Threats with Kam Chumley-Soltani

Episode 68 July 28, 2025 00:53:50
Lessons Learned in OT Security: Regulation, Collaboration, and the Rise of AI Threats with Kam Chumley-Soltani
PrOTect It All
Lessons Learned in OT Security: Regulation, Collaboration, and the Rise of AI Threats with Kam Chumley-Soltani

Jul 28 2025 | 00:53:50

/

Hosted By

Aaron Crow

Show Notes

In this episode, host Aaron Crow is joined by Kam Chumley-Soltani, Director of OT Security at Armis, for a candid conversation that dives into the ever-evolving landscape of OT (operational technology) and IT cybersecurity. After several rescheduling attempts across time zones and even parking lots, Aaron and Kam finally sit down to share their frontline experiences and insights from the world of critical infrastructure security.

From the increasing visibility of OT threats and the surge in regulatory requirements, to the convergence of IT and OT teams, they dig into what’s driving organizations to prioritize real-time visibility, risk management, and collaboration. Kam reflects on his diverse background in the military, at Cisco, Dragos, and now Armis, while Aaron draws on decades of experience leading teams across power plants and utilities in Texas. They both underscore the importance of people, process, and technology - reminding us that even the best tools are only as valuable as the teams that wield them.

The discussion explores the challenges smaller utilities face, balancing regulation with limited resources, and the need for cyber-informed engineering from the very start. Plus, they look ahead at the role of AI in cybersecurity, the daisy-chain effects of infrastructure attacks, and the importance of community and continuous learning in keeping ahead of the curve.

Whether you’re a cybersecurity veteran, just breaking into OT, or simply want to understand why your electricity bill matters, this episode is packed with anecdotes, practical advice, and a few laughs. So pull up a chair and get ready to protect it all!

Key Moments: 

03:18 Cybersecurity Developments and Regulatory Changes

06:33 Demand for Consulting and Assessments

09:51 Future of Regulation and Community

13:06 Regulating Small Utilities Challenges

16:41 Cybersecurity in Critical Infrastructure

19:43 Simplifying Complex Issues for All

26:12 Embracing AI in Cybersecurity

27:39 "Embrace Challenges, Educate Yourself"

30:14 Cybersecurity Threats to Infrastructure

34:29 Evaluating Automated Alerting Systems

39:38 Controlled Network Configuration Risks

42:10 Underfunded Team: Multi-Skill Necessity

45:31 "Collective Progress and Contribution"

48:13 "Geopolitical Threats to Infrastructure"

About the guest : 

Kam Chumley-Soltani serves as the Director of OT Solutions Engineering for the U.S. Public Sector at Armis, where he specializes in industrial cybersecurity. His expertise lies in designing secure and resilient network architectures for critical infrastructure environments.

Previously, Kam led Cisco’s OT Solutions Engineering team for the entire U.S. Public Sector, delivering end-to-end solutions across IoT/OT security, network architecture, diverse RF wireless deployments, embedded systems, and edge computing.

He has guided numerous global enterprises, federal agencies, and SLED organizations in architecting solutions that incorporate robust networking, cybersecurity controls, advanced threat detection, and proactive vulnerability management.

A Navy veteran, Kam served as a flight systems engineer and mission operations planner. He holds a B.S. in Cyber Operations from the United States Naval Academy, an M.S. in Cybersecurity from Brown University, and an M.B.A. from Northwestern University's Kellogg School of Management. He is currently pursuing his Doctor of Engineering (D.Eng.) in AI/ML from George Washington University. 

How to connect Kam: 

Linkedin: https://www.linkedin.com/in/kam-chumley-soltani/

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

 

Please leave us a review on Apple/Spotify Podcasts:

Apple   - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124

Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4

View Full Transcript

Episode Transcript

Aaron Crow (00:01.004) Hey, welcome to another episode of protected all podcasts. This one has been like, we've been working on this forever. My friend cam is with me today. We we've rescheduled this. tried to, I literally was trying to record this as I was sitting in my car, driving to a client site, sitting in a, in a Bucky's parking lot, which if you've never been to Texas and seen Bucky's, that's a huge place. Cam, thank you for being flexible. One time you were in another country, another time zone, and like we've just, I think we've rescheduled this like seven or eight times, but that's okay. So I appreciate you being here and being flexible with me, and I'm excited to dig in, Kam Chumley-Soltani (Armis) (00:34.506) Yeah, 100%. I mean, this is number seven or number eight of our failed attempts. And at one point, I remember messaging you and I was like, dude, I'm so sorry. I'll send you a gift basket, whatever it takes. So I'm just excited to actually hop on here. And I've been seeing the amazing things that you've been doing in the podcast. And I was really excited when you reached out. So thanks. Aaron Crow (00:52.002) Well, awesome. Thanks man. So what can I mean? Just tell us who you are. You know, obviously you're wearing your armistice shirt, so tell everybody who armistice is, like what are you doing and kind of a little bit about your history and your background and you know, kind of what got you to where you're sitting today. Kam Chumley-Soltani (Armis) (01:06.152) Yeah, absolutely. My name is Cam Chumley-Soltani. I might have the longest last name in the entire world. Most people just call me Cam Chumley. I'm a director of OT security here at Armist and I cover all the public sectors, so federal and SLED. Anything from vulnerability management, threat detection, observability, you name it. We've probably touched it in some capacity. And then for us, Armist specifically, we cover anything OT or IoT, medical IoT or IT. and we can do anything from live telemetry, bi-directional integrations. We meet the customer wherever they're at. So we're growing at a pretty crazy rate. It has been insanely busy. I've actually only been in Armist for about six months now, and it feels like 19 years, which I think is a good problem to have. much growth. then before this, I was at Cisco where I led the public sector for OT sales engineering. Aaron Crow (01:47.158) Yeah. Kam Chumley-Soltani (Armis) (01:56.561) And then before that, I was at Dragos and then before that, a military guy for eight years. So love the community and giving back, which is why I'm even more excited to be on the show today talking to you, who I consider a good friend to. Aaron Crow (02:06.112) Awesome. Well, yeah. So I mean, dude, let's give, let's dive in. So there's so much in this O.T. space. There's so much coming back out out now. We see it in the limelight. We see it in, obviously we see it in our circles and O.T. and we're seeing it more in the news. We're seeing more attacks in these O.T. spaces. Are you seeing more and more folks that are, you know, from from clients and customers, the folks that you're talking to worldwide that are really seeing the value and needing more visibility, more controls more understanding of what's going on in their OT spaces. And the second caveat to that is the why. Are most of them because they've been directly impacted or is it because they've seen something in the news or their competitor got hit or they heard about their brother, sister, cousin's uncle that got impacted? What's causing the yes or no in that scenario? Kam Chumley-Soltani (Armis) (02:48.787) Thank you. Kam Chumley-Soltani (Armis) (02:55.74) Right. Yeah, there's a lot to unpack there. Maybe we'll take a reverse order. I mean, just the last couple of weeks, you think about things to release like the new NERC SIP requirements, doing interprimer boundaries and visibility and monitoring. And then you look at the maritime transportation system regulator just got pushed up by Coast Guard. I mean, it's crazy. It seems like every time you turn the news on, it's either something unfortunately where there was an attack or breach or it's regulation, which Aaron Crow (03:14.914) Yep. Coast guard stuff. Yep. Kam Chumley-Soltani (Armis) (03:28.485) Again, it has teeth, which may be necessary at times, but I think OT is starting to get the visibility that it needs. And to answer your question about what I've been seeing particularly is, of course, you know, federal government, tons of compliance and jumping through hoops, not just from a software, but a hardware standpoint, but even on the state and local side. So conversations with lots of CISOs and CIOs and even governor's office about, we recognize that this is an issue. How can we get full scale observability? How can we get threat detection, vulnerability management, and not just even in traditional OT systems like water and electric utilities, but even things like the airports, the rails, the connected roadways, and merging that together with their critical IT infrastructure. So, you know, it's so weird. think, you know, where you and I used to go to conferences and only talk OT, it's actually really refreshing now to see the convergence where you go to conferences and meetings. And now you're actually in the same room as some of the IT folks, which never would have happened before in a million years. So it's nice. Aaron Crow (04:30.156) Well, or if you were in the same room, you know, they were throwing things at each other and you know. Kam Chumley-Soltani (Armis) (04:34.728) Yeah, exactly. I had to bring a couple of monster rehabs and like some dinner tickets just to kind of level out the field, right? Aaron Crow (04:40.862) Exactly. Exactly. Well, and you know, I've been in this for a long time. And to your point, like everybody hates the word OT, I T O T convergence, but ultimately, and I say this all the time, but we've we've we're one team, like we're literally wearing the same Jersey. Like we are, we are one in the same and we have to be helping each other. And to your point, like that's what I love hearing. I've seen it as well. It's still slow, but Kam Chumley-Soltani (Armis) (04:50.758) Yeah. Kam Chumley-Soltani (Armis) (04:55.209) 100%. Yeah. Kam Chumley-Soltani (Armis) (05:05.44) Aaron Crow (05:06.2) getting everybody in the same room is the first step. And that, in my opinion, is the most important step. And it's not, know, there's tons of technologies, there's tons of solutions, there's tons of consultant agencies, there's all of the things, but it's people, process, and technology. Only one of those things are technology. solving the technology solution, there's a lot of solutions out there that do great jobs, right? Armis is one of them that does an amazing job. But you still have to do the people and process side. And that's where you need Kam Chumley-Soltani (Armis) (05:15.794) This is a copy. Kam Chumley-Soltani (Armis) (05:24.357) for Kam Chumley-Soltani (Armis) (05:30.738) Yeah. Yes. Aaron Crow (05:35.34) both of those things together, even if you have, you know, the analogy I always give, you can have the best tool in the world. I can buy the most expensive woodworking equipment in the world and have it in my garage and buy all the lumber and sit it right next to it. And I can shut my garage door and come in the next morning and it's still going to be sitting there because nobody actually built anything with it, right? Somebody has to take it and have a process, have a plan and actually execute using those great tools. Kam Chumley-Soltani (Armis) (05:45.736) I think that's right. Kam Chumley-Soltani (Armis) (05:54.172) Yeah, I love that. Aaron Crow (05:59.394) so that you get the ROI, you get the value, you get the protection from them. The tool's not gonna do it by itself. Kam Chumley-Soltani (Armis) (06:00.647) Mm-hmm. Kam Chumley-Soltani (Armis) (06:06.304) 100%. Yeah, for sure. I don't know why, Aaron, but I just get the vibe that you're a great carpenter. I don't know if you actually do it working, but you give me that impression. I couldn't agree more. mean, last week they had a Zero Trust OT workshop up at Johns Hopkins. And it was actually, I really liked it because beyond just the presentations itself, highlighting the point you just mentioned, they had workshops where we actually broke out into subgroups. And we looked at the OT Zero Trust fan chart. Aaron Crow (06:10.286) You Kam Chumley-Soltani (Armis) (06:33.128) And it was devices and applications and users. And I remember sitting there in this room with people from all walks, right? Like again, DOD customers, organizations, other vendors, consultant firms. And at the end of this fan chart that we had assigned to us for devices and technology, we literally were just like, there's technology for all of this. Like, yes, yes, yes, yes. But the actual education piece, the people and processes, a whole nother ball game. You know, I'd love to hear from your perspective too, like what you've been seeing from a consulting standpoint about bringing people in and the demand for that, because I've been seeing a lot more appetite for even initial assessments, whether it's having somebody go through and running through a survey or making sure compliance and frameworks are aligned, or even things like flyway kit assessments have been insanely popular. So we'd love to hear from your experience. I know you're all over the place. Aaron Crow (07:27.244) Yeah, so agree. Like we're seeing a lot more, you know, in the past, a lot of, a lot of, a lot of spaces would just, Hey, I'm going to reach out to the OEM vendor. Right? So I have this prime vendor that does, you know, X, Y, and Z. but they're seeing more and more not that that's not a good thing. You should absolutely work with those prime vendors. It's not at all to throw shade at them or throw them under the bus, but it's just like there there's a reason why. So I came from EY, right? There's a reason why you have an audit firm. Kam Chumley-Soltani (Armis) (07:39.066) Yeah. Kam Chumley-Soltani (Armis) (07:55.045) Right. Aaron Crow (07:56.02) that looks at your books, right? You have an accountant, you have a CPA, but you know, a CFO, all of those things, but you still have a third party come in and look at your books to make sure there aren't anything missed. It's not always finding malicious things. Many times it's finding errors and mistakes, misunderstandings, right? All of those are things that it finds too. And that's the thing that having that outside eye that comes in and look like, how many times have you... Kam Chumley-Soltani (Armis) (08:08.826) Mm-hmm. Aaron Crow (08:22.85) brought in somebody on it. I've been doing this a long time. I remember way back in the day when I was starting out, you know, banging my head against a wall on something and somebody else coming in and be like, have you tried this? And it's just, it's the simplest, stupidest thing. And it's like, my God, why did I not think about that? I've been, I've been banging my head against the wall for 10 hours and I never thought about, did you turn it off and on again? Right? You know, something simple. Kam Chumley-Soltani (Armis) (08:29.254) Mm-hmm. Kam Chumley-Soltani (Armis) (08:33.99) Poop. Yeah. Yeah. Yeah. Kam Chumley-Soltani (Armis) (08:45.186) Right. And that one moment you stood there for five seconds, it feels like four years as it all registers. Aaron Crow (08:48.734) Exactly. So that's what we're really seeing is, you know, this is not to replace. You should absolutely have those relationships, but this is a how do I make sure? And to your point, I see more and more of an appetite of almost, I would say, almost in the past 10 years where people were just like, yeah, I think we're good, right? Almost, you know, put my head in the sand, close my eyes. Like they tell me it's good. I'm just going to take their word for it. To now they're like, that's not good enough. They're telling me they're good. It's more of a trust but verify. It's fine that you tell me that you're good and I believe you and I know you're really good at your job, but I also want a second opinion. I got a stage four cancer diagnosis. I love you doctor, but I'm gonna go see another doctor to see if there's any other options. Correct. Exactly. Kam Chumley-Soltani (Armis) (09:17.593) Right. Kam Chumley-Soltani (Armis) (09:23.012) Yeah. Kam Chumley-Soltani (Armis) (09:30.501) for sharing. Kam Chumley-Soltani (Armis) (09:36.432) Yeah, maybe three other doctors just to check it. Yeah, I mean, it's actually it's a good thing, right? I think the community is making steps in the right direction, whether it's one of the big four or it's a small boutique firm. And to the point that you talked about earlier, we talk about this a lot, but not necessarily the value of unpeeling the onion or peeling it back, of getting everybody in the same room. And not only from a policy standpoint and doing tabletop exercises and encouraging them to put that in their cybersecurity plan at a maybe a semi-annual basis, but even just having a white boarding session, man, and going through and I mean, I think some of my favorite moments in my career is walking in with a ton of Krispy Kreme donuts. By the way, I'm not endorsed by Krispy Kreme, just throwing it out there, donuts. Yeah, right, Catch me at Krispy Kreme. So, and you go out there. Aaron Crow (10:23.064) Yet, yet. Kam Chumley-Soltani (Armis) (10:29.049) and you're writing everything on the whiteboard and then there's an aha moment where you ask, how is this connected or how is this doing that? And everybody just blank stares, they look at each other and that moment itself, you succeeded and it feels amazing. And it just seems like to your point, more and more of that is happening, which is such a great thing. And I'm just trying to understand like, if I could have a crystal ball, I've been trying to shake it up, you know, to see in this in the ball to see what's going on in the next five years. Where are we gonna be at with the amount of regulation that's coming down, the appetite, unfortunately the increase in activity? I mean, if you were to look down the line, what do you think it's gonna look like as a community and infrastructure as a whole? Aaron Crow (11:10.392) You know, if we look, you mentioned regulation and I think to your point, I'm pro and I'm for and against, you know, too much regulation. Cause I think regulation, it does. But I mean, if you really take a 10,000 foot view and you look down on all the critical infrastructures in our country and you look which one's the most mature power utility and oil and gas. And there were for two different reasons. Power utility because there's NERC SIP and they Kam Chumley-Soltani (Armis) (11:21.027) Yeah. Yeah, it's just gotta be just right, dude. Yeah. Kam Chumley-Soltani (Armis) (11:33.966) Mm-hmm. Mm-hmm. Mm-hmm. Yeah. Aaron Crow (11:38.146) kind of been forced down that road, oil and gas just has a lot more money, right? So they have the budget and they are more, I can do this and it helps with my availability. They've done a really good job at tying the systems to their ROI and their uptime, right? So we do it the same way in power utility as well, but because of that NERC SIP, that's one of the reasons why we're more advanced. You look at wastewater, water utilities, things, they don't have budget and there is really no regulation. Kam Chumley-Soltani (Armis) (11:43.065) Yeah. Kam Chumley-Soltani (Armis) (11:54.99) Hmm Kam Chumley-Soltani (Armis) (12:02.989) Yeah. Aaron Crow (12:06.446) It's hard for them. They don't have the money. They can't get a rate case increase. can't. There's no capital money to do the things. It's not that they don't want to. It's that how can they if they don't have the budget, right? So the crystal ball is I think we have to have regulation tied to funding, right? We have to have some opportunities for these smaller entities, especially critical infrastructures, to say, I know I probably have gaps. I don't have any funding to fix these things. I'd love to fix them. Help me. Kam Chumley-Soltani (Armis) (12:07.812) Yeah. Kam Chumley-Soltani (Armis) (12:13.804) Yeah. Exactly. Kam Chumley-Soltani (Armis) (12:25.356) Amen. Aaron Crow (12:36.128) Right? And there's organizations like mine that can help. I know, you know, many organizations like yours have special pricing and special offers for those types of entities, you know, and that's what it's going to take. And ultimately, I think this is a global problem. This is not, you know, I talk to people all around the world, as you can imagine, and so do you. You know, it's the same problem in, you know, Europe and Africa and Asia and all over. They're having these similar problems. Kam Chumley-Soltani (Armis) (12:37.752) Yeah. Kam Chumley-Soltani (Armis) (12:45.869) Mm-hmm. Kam Chumley-Soltani (Armis) (12:51.277) Mm-hmm. Kam Chumley-Soltani (Armis) (12:55.021) Mm, mm. Kam Chumley-Soltani (Armis) (13:01.685) Yeah. Aaron Crow (13:05.46) And some of them are different. Obviously, China doesn't necessarily have this problem because the government pays for those things. But in places like ours where, you they're individual companies, know, power utilities, most power plants are owned by companies. They're not owned by the government, right? They don't, they're not, they're not funded by your tax tax dollars. You're paying an electric bill and that's what's powering. That's what paying for. You know, that's the other funny thing is people don't understand that process of, you know, I'm buying my power from this company, but that's not who actually generates the electricity. That's just who you. Kam Chumley-Soltani (Armis) (13:06.733) and then. Kam Chumley-Soltani (Armis) (13:10.979) Mm. Kam Chumley-Soltani (Armis) (13:19.019) Right. Yeah, probably. Kam Chumley-Soltani (Armis) (13:24.032) Right. Kam Chumley-Soltani (Armis) (13:27.555) Mm-hmm. Kam Chumley-Soltani (Armis) (13:31.469) Yeah. Aaron Crow (13:35.118) That's a whole nother conversation. Right? Exactly. So I mean, Kam Chumley-Soltani (Armis) (13:35.458) Yeah, exactly. Yeah. And it's a private company, by the way. Yeah, totally backwards. Yeah. And, know, as you you've been talking about that, too, it's like, do the differentiation between public and private sector. Totally different as well. They taking a large electric utility out there that, again, they're they're providing power to tons of end consumers the very end versus you look at state and local breaking up by state and county and. much smaller. Some of them aren't even governed by NERC, except they're so small with their power generation. And as you were talking about this, I was actually thinking to myself how difficult it is to actually create regulation for everybody. And I'm thinking of like these very small state and local electric utilities or water utilities that they don't have the resources and they don't have the manning and they don't have the money either. So then it goes back to, let's just say hypothetically that every single one of them found a pot of gold. and they could operate independently and they could have upgraded infrastructure and they could have a more secure or more postured cybersecurity stance. In the end, there still needs to be coordination. So then it almost comes down to if we could have a magic wand for what regulation would look like, is the regulation or is that wand giving us the ability to give that pot of gold to every state and county-owned critical infrastructure component? Or is it better to have a statewide visibility, observability, SOC that ties everything together, both IT and OT? My gears are just kind of spinning here as we're talking. Aaron Crow (15:07.586) Well, you you see some states doing that very thing, right? So you see state of Florida is doing cyber Florida. Texas just, just signed a bill to do something similar as well. exactly, exactly. You know, and that, that's tied to, the Texas, the Texas guard. so there is some, some, some regulation around those things and some tying. And then this isn't even to mention, and I'm taking this a tangent. It's not exactly the question you asked, but. Kam Chumley-Soltani (Armis) (15:12.482) Exactly, good one. Yeah. Kam Chumley-Soltani (Armis) (15:20.512) Yeah, let's go to Texas Cyber Command. Kam Chumley-Soltani (Armis) (15:27.692) Mm-hmm. Kam Chumley-Soltani (Armis) (15:36.596) all good. Yeah. Aaron Crow (15:36.622) But the other thing that's really coming and it's going to push this further and make us need to solve this problem even faster is the AI push, right? So all these data centers are getting spun up. I think I saw a number, just did a podcast, a solo podcast about it the other day, but we're increasing the generation or the capacity in the state of Texas, in ERCOT, by 50 % by 2030. Like that's five years. Kam Chumley-Soltani (Armis) (15:46.306) my gosh, yeah. Kam Chumley-Soltani (Armis) (16:01.034) Yeah. Yeah, actually, all the viewers should also know that both Aaron and I are proud Texans to call that out. So it's in our hearts. Yeah, go ahead, Aaron. Aaron Crow (16:06.54) That's right. Yeah. So, so what does that mean? That means that we are increasing the generation capacity in our state in five years. Right. So that one and a half times of what we have now. And, and the, the, the weird thing is, is we're still shutting plants down because they're, they're getting older, they're, they're, they're legacy fossil fuel sites and we can't Kam Chumley-Soltani (Armis) (16:18.486) Yeah. Kam Chumley-Soltani (Armis) (16:23.414) Mm-hmm. Kam Chumley-Soltani (Armis) (16:28.117) Yeah. Aaron Crow (16:33.976) there isn't a way to do this with renewables, which means one of two things. The prime use is that it's going to be gas, combustion turbine gas. And the other conversation that people are having is spinning up nuclear, Whichever one is in Pennsylvania, it's not Chernobyl, that's Russia. It's Three Mile Island. Kam Chumley-Soltani (Armis) (16:37.579) in Kam Chumley-Soltani (Armis) (16:43.01) Mm-hmm. Kam Chumley-Soltani (Armis) (16:48.331) Yeah. Kam Chumley-Soltani (Armis) (16:53.473) Which the nuclear conversation is a whole other thing too, because then you have to get through all of those conversations if people believe that it's safe or not. And there's a lot of research out there, but it's an option, right? Aaron Crow (17:01.922) Right. Yep. Correct. It is. And they're doing it, right? There's all sorts of new technology that's coming out where they're actually doing like skiff size, about the size of a container that is a controlled nuclear reactor on a skiff. And it's like, you can put up to a hundred of them together to be like a gigawatt of power. Kam Chumley-Soltani (Armis) (17:15.872) Mmm. Kam Chumley-Soltani (Armis) (17:19.649) Mm-hmm. Kam Chumley-Soltani (Armis) (17:25.194) Mm-hmm. Mm-hmm. Aaron Crow (17:31.374) But all of these are ways we've got to find, we've got to solve this solution. I read a book a long time ago, right? And I've read it multiple times, like what got you here won't get you there, right? We've got to do things different if we want to get past this solution. Our power demand is going to increase, which is tied to all, it's tied to our economy, it's tied to everything. And that going to the Idaho National Labs, cyber informed engineering, we've got to include cyber in that conference. Like you said, 10 minutes ago, Kam Chumley-Soltani (Armis) (17:32.647) Mm-hmm. Kam Chumley-Soltani (Armis) (17:43.007) Hmm Kam Chumley-Soltani (Armis) (17:52.16) Yeah. Kam Chumley-Soltani (Armis) (17:57.354) Right. Aaron Crow (18:01.1) We've got to have it be part of that conversation when we're designing these systems. We have to solve these power problems. We have to solve this AI thing. We have to solve all of these issues. And also we have to do it safely, securely and make it, know, instead of trying to bolt on cyber three years down the road when it's going to be more expensive, it's going to be hard to change. And it's just, it has to be done now. It really just has to be. Kam Chumley-Soltani (Armis) (18:02.175) Yeah. Kam Chumley-Soltani (Armis) (18:20.971) Right. Kam Chumley-Soltani (Armis) (18:27.297) From the very beginning, even looking at, we'll take an example of building compounds for facility control systems on DoD sites, with the regulation of having that visibility and monitoring requirement as you build them up. That same sort of philosophy and methodology should be applied to, in my opinion, and I think you articulate the same here, is all verticals are critical infrastructure. If you don't have that cyber-informed engineering from the very beginning, it's not something in mind. then that is a potential risk, not just from a cybersecurity standpoint, but from a safety standpoint, from an economic standpoint, and an overall trust standpoint. I I will say it is a bit refreshing though, now, refreshing and also a bit scary, that we're hearing more and more about it, right? Like that issue, people are talking more about electric utilities in Texas, and I think across the country as a whole, every time you turn the TV on, there's something about it. And to give you an example, I'm speaking tomorrow at the Texas Digital Government Summit in Austin. And the panel that I'm speaking on is for critical IT systems. And when I looked through, there's some amazing people that are going to be there that are definitely humbling to be around. When I looked through all the speaker presentations in the panel, there wasn't a single thing about OT, which is really interesting. And so we all convened, and they'd asked, well, what questions from the audience should we be expecting? What are some questions that maybe that you want to lead with? It was actually really refreshing, but at first I held my breath and I kind of squeezed OT in there and I was like, what about the relationship between IT and OT and building that into our IT infrastructure? And without any hesitation, everybody on the call with a resounding yes agreed to it. And that was nice because I don't think that we were there 10 years ago for people to even understand it. whether it's the conversation of people having more situational awareness for Aaron Crow (20:12.344) Right. Kam Chumley-Soltani (Armis) (20:20.384) doing things like electrical utilities in the very beginning or maybe other methods to provide power, that going back to having cyber built in the very beginning, there is an increased level of awareness. I guess the next question is, how exactly do we expedite that awareness, right? What things do you see in the community or what things do you believe that we can do as contributors or as a community in whole to keep teaching and training? Because there are a lot more conferences. I think there is a lot more collateral. But in the perfect world, how would you see that being done? Aaron Crow (20:51.212) You know, it's a, it's a double edged sword. Obviously I'm, I'm focusing, you know, I focus a lot in the critical infrastructure space. Obviously I do this podcast and, and, know, speak at things like you do as well. Right. so, but usually when we're speaking at those types of things, we're not speaking to people that maybe don't already know it, or they're already aware of cyber. Maybe they're IT people. They're not OT people. you know, one of the bigger struggles I see is, is, you know, in the, in the government federal space, right. Kam Chumley-Soltani (Armis) (21:03.177) Mm. Aaron Crow (21:18.114) When you go, I've been to Capitol Hill, I've had those conversations with, with congressmen and senators and, and, their staff. they're, they're vastly under, under aware of, of what's going on in the space or even what, what the real risk is and how difficult of a problem it is to solve. Right. And that's something we've got to continue. Part of that I'm sure is you can't be an expert at everything and I can't. Kam Chumley-Soltani (Armis) (21:22.483) of conversations with Congressmen. Mm-hmm. Kam Chumley-Soltani (Armis) (21:43.315) That's for Aaron Crow (21:44.14) Believe me, I don't want to wear that hat, but I can't imagine being a representative that has to, you have to know about financials and all of the different things that happen in our world and our government and our local and state and federal. And cybersecurity is such a very difficult and big problem. Like how could you expect, you know, an 80 year old person or a 30 year old person to be able to understand, you know, all of those problems? So we have to be able to consolidate this down. Kam Chumley-Soltani (Armis) (21:47.347) Yeah, me neither. Kam Chumley-Soltani (Armis) (22:01.95) I mean. Aaron Crow (22:12.322) I try to have these conversations where I could explain it to my mother, right? I could explain it to my grandmother in a way that obviously she's not going to get to the same level you and I have with the experience because that's what we do, but they should at least understand enough. Funny enough, my mother-in-law actually listens to my podcast. She doesn't do, she doesn't do cyber security. She doesn't have anything to do with any of this stuff, but she finds it interesting, which to me is just hilarious, but it's awesome. Like if you're listening, Michelle, hello. Kam Chumley-Soltani (Armis) (22:16.691) Yeah. Kam Chumley-Soltani (Armis) (22:23.679) Mm-hmm. Kam Chumley-Soltani (Armis) (22:28.919) I love that man. Yeah. Yeah. Yeah. After every session she's like, Erin loved the call today. This is great. Aaron Crow (22:42.126) That's right. But you know that it's funny, but that's what we have to do. We have to make this. It's really easy to say big words and prove how smart I am by by drawing on the board and talking about zero trust and AI and all the things. But I have to be able to condense it down as a salesman does after you have to condense it down so that you understand it and that you not only do you understand it, but you understand the risk and the vow and the need and the importance and that you know. Kam Chumley-Soltani (Armis) (22:48.392) Yeah. Kam Chumley-Soltani (Armis) (22:57.363) Yep. Kam Chumley-Soltani (Armis) (23:02.376) For sure. Aaron Crow (23:11.522) be able so we can have a conversation around who do we need to get involved that can help us find a solution out the other end. And then you all the politics things that's beyond, I don't even want to talk about that because that's the other thing. Securing the grid should not be left or right. It should be, we all use electricity. We all want to continue to use electricity and water and transportation and everything else. Let's just put those things aside. Kam Chumley-Soltani (Armis) (23:18.109) Yes. Kam Chumley-Soltani (Armis) (23:22.463) Yeah, yeah, that's that's a whole other realm right there, Right. Yeah. Yeah, basic needs. Yeah, right, right. And even the education piece, you made a really good point too of making it as foundational so that anybody could walk in the room. I like that analogy of explain it to your mom or stepmom because I literally do this all the time with my family. So I think we probably share that experience. in a way where you explain it, not only does it get the gears going and you see the light bulb in their head, but then they're curious about it. Aaron Crow (23:52.238) You Kam Chumley-Soltani (Armis) (24:03.091) and they're comfortable enough to actually ask questions in the room. I think the most beneficial conferences or sessions or workshops that I've ever been to is when you walk in a room, you don't know what anybody there does, you don't know who they are, you don't even know what you're walking into, you just know you're about to have a discussion about something infrastructure related. And you go around the room and you make intros and then they just bring a topic up and you just sit there and you just talk. back and forth and those are almost the most valuable ones because it's like you're locked in the room together. You got to figure it out. I, every single time I've left a room like that, learning more because I don't, I don't know everything and the space is changing so fast, building relationships, learning more and educating myself. And then also bringing any experience that I have to the table so people can learn from it. I almost wish there was more of that in industry. Like now I'm not saying the conferences, everything aren't important. They definitely are, but even Aaron Crow (24:33.762) Right. Yeah. Kam Chumley-Soltani (Armis) (24:58.65) a conference that three days is dedicated to just rotating round tables of discussion. Can you imagine that? my gosh. Aaron Crow (25:03.214) Yeah, that'd be incredible. You know, and I'm currently I've got an intern that's working with me. And I tell this to everyone. But even even down to not that an intern is less than me, I just mean they're they're very, you know, just graduated college has no, you know, hasn't worked in this industry or a lot of experience in this space. I always tell everyone I don't care if you think I'm wrong or you want to ask a question, ask the question, challenge me. Right? I don't want like, we don't need yes men around us. We need people that will challenge us. And, and you know, when I had teams and, and, and, you know, when I worked at power utility, had the, you know, pretty decent sized team. And obviously there were people that reported directly to me or had, you know, little to no power utility experience. And so it can be intimidating to challenge someone like that. or the plant manager or, know, the control system operator or anything like that. And I'm like, look, Kam Chumley-Soltani (Armis) (25:33.436) Yeah, for sure. Kam Chumley-Soltani (Armis) (25:37.905) No. Aaron Crow (26:01.504) I'd rather you ask a, I'm doing air quotes here for people just listening, stupid question, because it's not a stupid question. If it's coming up in your head, there's a reason, trust your instinct, ask the question. And maybe they have a good answer for it and that's fine and then you move on. Like, I'm not telling you to start a fight with people, but at least ask the question so that they at least have to think through. It's kind of like the whiteboard analogy used earlier. When you're drawing it out and you get to that place, you're like, okay, so how does this work? And people are like, well, Kam Chumley-Soltani (Armis) (26:03.286) Mm-hmm. Yeah. Kam Chumley-Soltani (Armis) (26:19.901) Mm-hmm. Kam Chumley-Soltani (Armis) (26:25.661) Hmm. Yeah. Aaron Crow (26:30.688) You told me in the beginning you didn't have remote access, but how are you getting to here without remote access? And then you're like, well, we have that and there's a 3G card that they connect in from the back and that goes directly to the vendor. That's called remote access. Kam Chumley-Soltani (Armis) (26:37.477) Right. Yeah. Kam Chumley-Soltani (Armis) (26:44.785) Yeah. Yeah. Yeah. And by the way, they're all shared group credentials and we don't have any logging by any means. the, the modem's always open like, yeah, we're getting somewhere at this now. Yeah. Yeah. That's fair. And also it's like, getting back down to the foundations. I think even anybody that's a SME and whatever you do in life, engineering, cybersecurity, teaching, finance, whatever it is. Aaron Crow (26:50.52) Correct. And we don't monitor it. Correct. Correct. Kam Chumley-Soltani (Armis) (27:11.385) Even having, like that's why personally even doing like instructional or teaching, I think it's very rewarding because the same way that you and I and several others in the community go out and we try having that back and forth conversation like we're having now, you really do learn something and you reinforce your own learning. mean, there's so much to learn that it's almost like even having reminders about those foundational things, it recalibrates you again and it's humbling in a lot of ways. Aaron Crow (27:37.656) Well, and I mean, for me, it's all, I was talking to my wife about it yesterday. My kids are with their grandparents. So my wife and I were, you know, we were at a bookstore and we were just doing single parent things, right? Where we didn't have any kids around us, which is, we've been married 17 years, have three kids. So we rarely get those, so we take advantage of them. So we were at the bookstore and I was just recalling. Kam Chumley-Soltani (Armis) (27:52.017) Yeah. Aaron Crow (28:02.862) my early career and I was in desktop support and I was like 19 years old, like my first real job. And I remember I didn't know very much at all. I mean, was very technically capable. I taught myself how to use computers. I was pretty smart and capable, but I'd never worked a job. I didn't know any of this stuff. And they were doing a project, whatever company I was working for was doing a project. And they were like, hey, does anybody know? Kam Chumley-Soltani (Armis) (28:12.092) Mm-hmm. Kam Chumley-Soltani (Armis) (28:22.879) But. Aaron Crow (28:29.666) how to do this and nobody raised their hand and then they were like, okay, well we need this done. Who's willing to do it? And I raised my hand. I'm like, I'll do it. They're like, do you know how to do it? I'm like, nope, but I'll figure it out. So then I just went, I went to a store and I literally bought a book and I think I bought like 10 books on this subject. And I didn't read them cover to cover, but I was looking for the things that would help me and I use them almost as a reference. And I did that back then and it really grew my career. Cause I was always the person willing to raise my hand and I was willing to take on a challenge. I was willing to be wrong. Kam Chumley-Soltani (Armis) (28:30.812) Thank Kam Chumley-Soltani (Armis) (28:38.396) I figured out. Hmm. Aaron Crow (28:58.54) I was willing to ask the stupid question and I was also willing to go home and read a book and study and then try to figure it out and play with it in the lab and in all the things. But I've never stopped that. Like I, I constantly read, I'm constantly trying out. It's why I've been diving into AI. You know, I've been doing cyber security for so long, but I've been diving into AI because I see not that I want to get out of cyber security, but that I see AI is going to be part of how we succeed. Kam Chumley-Soltani (Armis) (28:59.876) Yeah. Kam Chumley-Soltani (Armis) (29:11.76) Yeah. Kam Chumley-Soltani (Armis) (29:23.963) Right. Aaron Crow (29:26.72) and things we're gonna have to defend against, right? So we should be constantly learning and growing because A, it keeps our mind sharp, but also it's going to be, it goes back to what I said a minute ago, what got you here won't get you there. You can't just be the Palo Alto firewall guy because that's all you'll ever be. You're not gonna be able to get a promotion. Like you're gonna be limited. And I love Palo Atos and I love configure firewalls, but I don't wanna be pigeonholed into only doing that for the rest of my Kam Chumley-Soltani (Armis) (29:30.252) Yes. Kam Chumley-Soltani (Armis) (29:36.293) Yeah. Kam Chumley-Soltani (Armis) (29:41.2) Yeah. Kam Chumley-Soltani (Armis) (29:51.002) Right. Kam Chumley-Soltani (Armis) (29:54.88) Yeah, it makes me more multifaceted and several different dimensions where you're talking and I love that by the way being a lifelong learner is so so important not just in our industry but across the board I mean I remember sitting down in some of these meetings and people be asking questions or I'd be a fly on the wall and they would say something and I remember sitting there being like I don't know what that is like I have no idea what that is and I didn't take a second so what I did is I went I bought this huge notebook and I would just start writing notes nonstop. And then every Saturday I would go to Barnes and Noble, it's great people watching by the way, have a couple coffees and I would just study. And I would write tons and tons of notes. And today, it was so funny because this is really relevant to me right now, I was going through my files in File Explorer and my notes page popped up, it's still running. And I have over 200 pages in notes over the last couple of years that you just go, go, go, go. And it is important, man, to just completely keep educating yourself. And also when you learn things, like your example where you raise your hand, you volunteer yourself, what's that expression? I'm a Navy guy, but smooth seas never made skillful sailors, right? Throwing yourself in and learning how to navigate the ship and how to run a crew, even whenever it might seem incredibly difficult or you don't really know the path ahead, you figure it out. And then when you get to the other end and you dock, you can tell the other sailors about it. And now when they go out to sea, Now they have experiences that they can lean on or they learn for themselves. So that analogy is on the fly, by the way. I didn't record that y'all. So it's all there, right? So that's exactly what it is. And under your conversation of AI, totally agree. And there's times where, you know, you're working and you're grinding, you're doing all these amazing things to the community, but it's also so important to carve time out for growth for things that may be related or tangential, but like they have some relation, like cybersecurity and AI, right? Or OT and AI. Aaron Crow (31:23.135) Hehehehehe Kam Chumley-Soltani (Armis) (31:47.843) we're starting to see the convergence of both of these things coming together at a very accelerated rate. And similar to you, right? I got really fascinated with this and I wanted to research it and it comes down to a timing thing and making time. And I ended up, I don't know why I did this, but I just finished one of my school programs. I decided to go for an AI school program. And I remember looking at it and I was like, man, it's kind of pricey, know if I should do this. And then I took a step back and I was like, you know what? Honestly, eight hours every Saturday and learning AI, it's not just gonna help me in this field, but it'll help me be more well-rounded and a general Swiss army knife. So it's the future, like all around. Aaron Crow (32:22.766) Sure. Yep. Yeah. Yeah. Well, and again, but it really gets to the mindset we need to have and how do we solve these problems? Right. So, you know, we've talked a lot about in this episode, right, is how do we, you know, what do we think and how, can we do and what's the next steps and what's the future is coming faster every moment, right? It's changing. It's exponentially growing faster and the technology curve is just taking off and AI is going to get us there even faster. Kam Chumley-Soltani (Armis) (32:50.093) Yes. Aaron Crow (32:51.672) So that just means it's gonna be on us to do more and more, right? We're gonna have to learn faster. We're gonna have to shift and adapt because unfortunately in the cybersecurity space, the bad guys are gonna be using it too, right? So if we're lazy and we say, we're just gonna keep doing it this way because this is what we've done for the past X number of years and it's been fine, that works until it doesn't, right? And that's gonna cause the problem because we're not ready, right? And they're going to be... Kam Chumley-Soltani (Armis) (33:05.283) Yeah. Kam Chumley-Soltani (Armis) (33:15.243) Sure. Aaron Crow (33:19.258) using all of those things because it's easier for them to use this newer technology than it is to break. They're not going to attack you where you're strong. They're going to attack you where you're weak. It's just obvious, right? you know, Sun Tzu art of war, you know, use your strengths as weaknesses and your weaknesses as strengths. It's going to be all of those types of things. So we have to be thinking about these things. We have to be, you know, on the federal space. We have to be looking at. Kam Chumley-Soltani (Armis) (33:29.373) Mm-hmm. Mm-hmm. Kam Chumley-Soltani (Armis) (33:37.784) Yeah. Aaron Crow (33:45.145) bases and federal buildings and all these types of things because those are, if there ever was an attack in the future and a nation state were going to attack us, cyber is going to more than likely be part of that, of their response, right? So they're going to be coming after bases. They're gonna be coming after buildings. They're gonna be coming after our infrastructure. They're gonna be coming after buildings and streetlights and our electric grid. mean, just you name it. Anything like that would cause panic. would cause Kam Chumley-Soltani (Armis) (33:53.965) Mm-hmm. Kam Chumley-Soltani (Armis) (34:00.311) Yeah. Kam Chumley-Soltani (Armis) (34:13.166) Yeah. Aaron Crow (34:14.412) Difficulty for movement around the cities and transportation and all of these things. It's just like a big domino that impacts and just slows us down and changes our focus where you know a bad actor can attack or they can you know steal something or whatever they're trying to do and all of these things are linked together. Kam Chumley-Soltani (Armis) (34:26.04) Mm-hmm. Kam Chumley-Soltani (Armis) (34:33.496) Yeah, I don't know if people ever really think about the daisy chain effect of all of these things, right? Like a primary attack on electric utility or power, what are secondary and third hand effects of that? Or even jamming comms with no RF, how much that impacts everything across the board? We see it in geopolitical issues today too, right? And it's really the first step to de-capacitate everything that's going on in capacity, everything that's happening around the city, county, state, and nation. Aaron Crow (34:45.934) right. Right. Kam Chumley-Soltani (Armis) (35:02.314) And then once you lose some of those infrastructure pieces, it all just starts falling down to your point. And another part of AI too, right? Like if we're not using AI, I guarantee you that nation states and adversaries are, I mean, even looking at things like programming today, right? You can go write hundreds of lines of code and pure application that that would take me hours back in the day. And now you just put your prompt in, you do a little bit of prompt engineering, tailor it as you want. Aaron Crow (35:18.082) Mm-hmm. Kam Chumley-Soltani (Armis) (35:30.669) The same capacity that we're making those applications and we're doing things to make our life a bit more easier with automation, which I'm not bored with. On the other end of the spectrum, they're also doing things like looking at how to exploit payloads and create those different payloads and how you're impacting different registers. And it's pretty crazy that instead of the 100 lines of code that took me a couple of hours, it's the same thing for them. So instead of a couple of hours on their front, it might take them 15, 30 minutes, an hour. mean, I'm not talking about very sophisticated and complex zero days, but maybe, maybe we will get there in the very near future. Aaron Crow (36:01.718) Right. Yeah. Well, and we're already seeing it again. I talked about this in a previous episode where, you know, it's almost a race now. So when a vulnerability comes out, when XYZ vendor releases, hey, we've got this vulnerability and we even have a patch for it. The problem with that is that the bad actors know that there's a vulnerability and you're vulnerable until you patch it. Right. And especially in OT, we don't patch as frequently. Now, granted, Kam Chumley-Soltani (Armis) (36:13.27) Yeah. Kam Chumley-Soltani (Armis) (36:20.183) Yeah. Kam Chumley-Soltani (Armis) (36:28.087) Yeah. Aaron Crow (36:30.946) We have mitigating controls and we're not in theory on the network or internet and blah, blah, blah. But that doesn't mean that we're not at risk. So that's the problem is it's almost like as soon as they release the patch or release the notice that there's a vulnerability, now the bad people, the bad actors know that. And now they can, you know, narrow it down and say, I'm only going to attack these things. And I know the, I know the path in they're giving you the answers to the test. Kam Chumley-Soltani (Armis) (36:39.608) Mm-hmm. Kam Chumley-Soltani (Armis) (36:49.72) Thank you. Yeah, yeah. Aaron Crow (36:56.15) And then all you have to do is use AI or adjust an attack that you already have that would fit that or fix that. So they don't have to figure out the whole world. They don't have to find all of the solutions. They just have to find the one. And they know that you have this PLC or this controller or this firewall or this whatever that has the vulnerability. And I'm just going to attack that. And then I'm in the door and then I can do something. Maybe I drop a payload. Maybe I do whatever I want to do. That's the problem that we're facing. Is this just to your point? It's going to be faster. Kam Chumley-Soltani (Armis) (37:14.359) Mm-hmm. Kam Chumley-Soltani (Armis) (37:18.955) Yeah. Aaron Crow (37:26.114) for them to make something that can take advantage of those vulnerabilities. They don't even have to find the vulnerabilities themselves. They just wait until somebody announces it, right? So what's the way around that? Kam Chumley-Soltani (Armis) (37:27.403) Yeah. Kam Chumley-Soltani (Armis) (37:36.777) No. Yeah. Yeah. And by the way, they're not only they're telling you the vulnerability, but they're going to tell you the remediation that every single asset owner is going to use. It is unique, too, right? Because then the asset owner, you know, again, my heart goes out to anyone that's ever been impacted in a situation like that. But you have to scramble for successful instant response if you even plan for the instant response. And when the response happens, do you have a playbook that has a primary and secondary owner? Who knows? Is all the data up to date? Who knows? And then, you might have how many tools now you're using across IT and OT. It's not one pane of glass. You're having to run around. How is your learning system working? Like, are you running to a product that's a SIM in its own capacity? Is it a bunch of white noise? It's doing automated flows. Is your organization okay with automated flows? Because people get a bit scared of that idea, which I can totally understand. But even on the AI front of what you mentioned earlier, which I'm thinking about now is, you know, fighting AI with AI. And I think it's also a fair call out to say, when we say fighting AI, that doesn't mean you have to give it to the keys to your entire castle. You can do it in a layered way to where maybe it's just on the front line outside the door. And then it is now a supplement or an augmentation to your security program, but not necessarily the kernel of it. So. It's a really good call out, honestly. Aaron Crow (39:01.154) Yeah. Well, and it, but that goes back to, and then everything comes back around to if I design my system and I use cyber informed engineering and I design that system, I figure out, can design in where I can plug that AI or that capability in. Obviously, you know, I don't want to give it control over my, over my system. I'm not going to just tie in AI and have it turn things on and off in my, in my lower Purdue, you know, the lower levels of the Purdue model. Kam Chumley-Soltani (Armis) (39:08.458) Mm-hmm. Kam Chumley-Soltani (Armis) (39:12.384) Yeah. Kam Chumley-Soltani (Armis) (39:23.753) Right. Kam Chumley-Soltani (Armis) (39:27.967) Yeah. Aaron Crow (39:29.57) But at those higher levels where it's outside and it's not directly controlling, I can have it do things, right? Because worst case scenario, I can't get to it remotely, but I'm in the room, right? And that's okay because I wanna be able to control those things. So that's where we need to start thinking outside the box. 10 years ago, we never would have had that conversation. Like they would never allow any automatic responses or automatically turn things on or off, not to, and that's from a human, much less having an AI do something like that. Kam Chumley-Soltani (Armis) (39:30.358) Mm-hmm. Kam Chumley-Soltani (Armis) (39:36.255) Amen. Kam Chumley-Soltani (Armis) (39:40.139) Yeah. Kam Chumley-Soltani (Armis) (39:46.475) Mm-hmm. Yeah. Kam Chumley-Soltani (Armis) (39:57.021) Yeah. Yeah, exactly. Aaron Crow (39:59.434) We've got to be, we've got to at least start challenging the, the, the status quo and start pushing beyond just the, we would never do that. Right. It's gotta be more of a, okay, how could we do this? What could we do? Where's the limit? Where's, where's the, boundary and how could we do it safely? What areas could we put it in where it could help? Right. And start having those questions instead of just saying, no, start saying, how could we like, obviously I know I'm not going to plug it into my control system. Gotcha. I agree with you. That's off the table. Kam Chumley-Soltani (Armis) (40:20.927) Yeah. Kam Chumley-Soltani (Armis) (40:27.71) Right. Aaron Crow (40:28.984) But where could we put it? Could it, could we put it above the firewall where it's just looking at things coming in from outside? I maybe you're okay with that. Kam Chumley-Soltani (Armis) (40:30.377) Yeah. Kam Chumley-Soltani (Armis) (40:34.494) Yeah. Yeah, yeah. Maybe there's a data diode. Maybe the AI is running on local compute and it's not even SaaS or hybrid based. And maybe that compute is just, or the AI engine itself is just informing the decisions to a policy that you already have built into your NAC itself. So I totally agree. And history really, I personally believe is repeating itself. I mean, if you look how the industry has been even over the last 30 or 20 years, thinking about things like Aaron Crow (40:40.11) Correct. Right. Correct. Aaron Crow (40:50.38) Right. Correct. Kam Chumley-Soltani (Armis) (41:07.424) digital transformation for anyone that is listening. Those are the air quotes I threw out. Digital transformation, incorporating things like passive analysis and spans and taps and smart active querying and integration in those ways. And as we see over time, people have started understanding a safe way to deploy these different mechanisms to make them more secure. And AI is just another thing and it's the next phase and it's coming and it's coming fast. And it can be contained. should to figure out a safe way to do it, right? So to your point, I think maybe some people hear the idea of AI and any sort of industrial control system or vertical infrastructure, and immediately they say, I'm good. No, thank you. Have a nice day. But it's peeling the layers back for sure. Aaron Crow (41:55.95) Yeah, absolutely. And, know, the same thing goes back to, you know, how many years have we been saying you can't, you can't be active in OT, right? You can't scan and OT scan is a bad word and OT. The funny thing is, is I was using, you know, NAC, you mentioned NAC. I was using a NAC in OT before there were any passive monitoring OT tools available back in 2010. None of these products existed. Like Dragos didn't exist when I, when I started doing this stuff, right? It wasn't a product that you could buy. Kam Chumley-Soltani (Armis) (42:05.247) Mm-hmm. Kam Chumley-Soltani (Armis) (42:08.964) Mm-hmm. Kam Chumley-Soltani (Armis) (42:13.599) Yeah. Kam Chumley-Soltani (Armis) (42:18.907) Mm-hmm. Mm-hmm. Mm-hmm. Mm-hmm. Mm-hmm. Aaron Crow (42:25.4) So I took Cisco and Splunk and other products and put it into OTSpaces, was doing full packet capture on networks, we're using a Mac and we were scanning networks, but I would configure it. Okay, don't scan this subnet, don't scan this and I'm not doing a full protocol scan. I'm just interacting. I'm logging in SNMP on switches to get their capabilities. I'm doing all that. You can do it. You just can't do it. You can't do a full in-map scan on your network every... Kam Chumley-Soltani (Armis) (42:41.01) Right. Kam Chumley-Soltani (Armis) (42:44.618) Yeah. Aaron Crow (42:54.2) two hours like you might do in an IT space because absolutely it'll cause problems. But because of those problems, that's what's gotten this bad stigma. And a lot of the vendors have really pushed were passive and that's the only way and people bought in and passive is great. I love passive and I think it's a need and everybody should have passive monitoring. And also we need to do more. And also we need to look at AI and also we need security. it's an entire Kam Chumley-Soltani (Armis) (42:58.025) Yeah, for sure. Yeah. Kam Chumley-Soltani (Armis) (43:09.374) Yeah. Mm-hmm. Kam Chumley-Soltani (Armis) (43:18.888) Yeah. Aaron Crow (43:22.73) ecosystem of things that we need because I mean look at NIST, you know, NIST CSF or NIST 853 or you know 62443. There's more than one control. It's not like you just put in a firewall and I'm done. Like it's not, just I put in point protection so I'm good. I don't need any more cyber. That's all the cyber I needed. Thank you. Kam Chumley-Soltani (Armis) (43:30.42) Mm-hmm. Kam Chumley-Soltani (Armis) (43:41.044) Right, right, right. There's layers, man. 100%. And even going back to like the passive and the active conversation, you know, you always hear the story about somebody that is a very aggressive, active poll, and knocks the whole plant down, the world ends. mean, that could definitely, you know, right? Like, I get it. And you can have aggressive scan if you're going out there and you're doing it in a, how do I say this, in a irresponsible way, or maybe a very Aaron Crow (43:42.552) Correct. Kam Chumley-Soltani (Armis) (44:09.638) aggressive way where it's not contained. Absolutely, right? But as all things, any tool that you use or any way you're configuring a network, if you can configure something the wrong way, think about like a broadcast storm. That could take a network down too, if you're not configuring it correctly. providing the capability to do things like deep packet inspection and the active capability, if that organization wants to do it and the mechanism is done in a very safe, low and slow way, Aaron Crow (44:20.952) Yeah. 100%. Yep. Kam Chumley-Soltani (Armis) (44:38.324) talking unique protocols with bit rates that mimic those of a control system. Cool, not like bazooka-ing an Active Directory all over the place, right? And the other thing too that you mentioned that I actually really appreciate is when you did build that NAC out in 2010, when you had a NAC and you had Splunk and you used different tools together, the power of collaboration between tools, not in a way to where it overburdens an organization operator or customer, but in a way where it actually enhances it. Aaron Crow (44:47.042) That's right. Kam Chumley-Soltani (Armis) (45:08.445) I think once you reach once you pass that line or you have so many tools, you gotta blow the dust off of something. It might be time to consolidate a bit down. Aaron Crow (45:15.65) Yeah. Well, and to your point, and this gets into the people side of things. I can't be an expert at everything. Right. I'm a smart guy. I've had my hands in a lot of things. I've done firewalls and I've done NACs. I've done, you know, spanning. I've done a lot of things in my career and I'm pretty good at all of them, but you don't want me being the guy that's doing your, all of the things, right? I'm really good at seeing the big picture. Kam Chumley-Soltani (Armis) (45:22.429) Mm-hmm. Yeah, for sure. Kam Chumley-Soltani (Armis) (45:36.435) Mm-hmm. Kam Chumley-Soltani (Armis) (45:40.178) Mm-hmm. Aaron Crow (45:42.464) I understand Zero Trust and Cloud and all the things, but you want me helping drive the direction. You don't want me hands on keyboard designing the firewall policy. Even though I've done that in my past and I could dust off that section of my brain and make it work in a pinch. But there's a lot better people than me that can do it now and would do it a lot more effectively and a lot faster and all the things, right? So when you get into OT, I find that so few organizations have Kam Chumley-Soltani (Armis) (45:43.763) Mm-hmm. Kam Chumley-Soltani (Armis) (45:54.715) Right. Kam Chumley-Soltani (Armis) (46:01.009) Mm hmm. Kam Chumley-Soltani (Armis) (46:11.782) Thank you. Aaron Crow (46:12.014) Again, going back to what I had, I can't speak for everybody, but everybody I've seen has been this way. They have a very, very small OT team of one, maybe, you know, I had six people that worked directly for me and we supported 45 power plants across the state of Texas, right? And that was a nuclear power plant and, you know, mines and all these different places. And we supported all the technology from the OT firewall down. Kam Chumley-Soltani (Armis) (46:17.159) Mm-hmm. Kam Chumley-Soltani (Armis) (46:22.29) Yeah. Kam Chumley-Soltani (Armis) (46:27.782) Mm-hmm. Jeez. Yeah. Aaron Crow (46:40.14) And the IT side had a dedicated firewall team and a dedicated VM team and a dedicated application team and a dedicated networking Cisco team and a dedicated. Kam Chumley-Soltani (Armis) (46:40.498) Mm-hmm. Kam Chumley-Soltani (Armis) (46:45.83) Yeah. But the OT team? Six. Strong. Aaron Crow (46:49.486) Exactly. They had 10x the budget of us and all the things. And again, I'm not saying that they shouldn't have had the budget they had. I just mean that my team had to be multi-skilled. They had to be able to support VMware and Cisco switches and routers and firewalls and, you know, what's up gold and Splunk and a knack and, you know, patching and everything in between. Kam Chumley-Soltani (Armis) (46:53.956) Yeah. Kam Chumley-Soltani (Armis) (47:03.12) Yeah. Aaron Crow (47:16.596) And obviously they can't be experts in any of those things, but they had to be good enough that they could figure it out and then open tickets and work with sponsors and vendors. But this goes back to having that partnership in a perfect world. My team would be hands on, but if they had a firewall issue, they'd work with the IT firewall team because they do this on a daily basis and they have this, the deeper skillset. We would bring one of those IT people into my OTSpace and my team would just monitor and advise them on, this is what I want to do. I need you to implement it. This is the Kam Chumley-Soltani (Armis) (47:26.93) Yeah, of course we should. Kam Chumley-Soltani (Armis) (47:44.978) Mm-hmm. Aaron Crow (47:45.612) the criteria and do it this way, make sure that we all agree and then have them help us implement, right? So that'd be a perfect world, but I've seen almost no one actually execute that way. Unfortunately. Kam Chumley-Soltani (Armis) (47:47.94) Thank you. Kam Chumley-Soltani (Armis) (47:54.001) Right. I was about to say, with the wand, amazing, right? But to your point, it's always, have to sit down and comes back to, I don't own that, or maybe that's not my scope of responsibility. And then you take a step back and you're like, we're six people. How do we get this done among all of us and load balance bandwidth here? So I don't know. mean, that's another good conversation of resourcing-wise, how to support that in OT. And the tools not only are for security, Aaron Crow (47:59.628) Yeah. Aaron Crow (48:08.951) Right. Kam Chumley-Soltani (Armis) (48:27.184) and automation, but doing it in a way where it makes their lives easier, the end user easier. And, you know, I think we're starting to get to a point with things like software-defined networking and how you're doing route and switching management, APs management, but even things like people becoming more more okay with automation to alleviate that burden. But yeah, I mean, six people across all those sites, that's a constant grind. Yeah. Aaron Crow (48:30.68) Correct. Aaron Crow (48:53.74) Always. Right. It was, it was working every outage. mean, I had three guys that started, they went through training, onboarding training, and then they came, they never went to their office. They just started going to outages at power plants for the next six months. So for the next six months, they were at power plants all over the state doing control system upgrade projects and outages working, you know, seven days a week, 16 hour days sometimes. Kam Chumley-Soltani (Armis) (49:06.93) They're like, this is the training actually. You have to do six outages your first week. And they're like, what? Yeah. Kam Chumley-Soltani (Armis) (49:18.566) Yeah. Aaron Crow (49:22.934) And it was a grind, it was what was required to get it done. at the end of the day, they had, to your point, it was the best training they could have gotten, right? After six months, they were experts. They'd been in six control system upgrades. They'd been in outages. They'd seen the problems. They built the systems. Who better to support it than the guys that built it, right? And after that point, they're rock stars. And to this day, they're still working in the space and crushing it in OT. Kam Chumley-Soltani (Armis) (49:23.996) Yeah. Kam Chumley-Soltani (Armis) (49:36.048) Yeah. for sure. Kam Chumley-Soltani (Armis) (49:45.765) Yeah, we're at 100%. Aaron Crow (49:52.192) And they didn't have any OT experience before that. They haven't heard of the term. They'd never been to a power plant before. Kam Chumley-Soltani (Armis) (49:56.624) Yeah, yeah, yeah. They were essentially just thrown on the ship and within a limited amount of time, now they're their own captains. And even going back to, yeah, maybe by the time they were, you know, they got on the ship at 18, they were captains by 20 at that point. Aaron Crow (50:03.66) By the time, yep. Aaron Crow (50:09.422) Correct. Exactly. By the time they hit land on the other side, they were, they were, they were sailors. Yeah. Kam Chumley-Soltani (Armis) (50:15.854) That was it. Yeah, they might be on a yacht. I don't know, man. But if we get back to your saying earlier where you said, you know, you can do everything and you have experience with all these different things, these different facets, right? But going back to the ship analogy, yeah, you can steer the ship and you have so much experience and anyone that's touched all these different things, but you still have things like who's manning the sails, who's using the cannons, who's doing things like building the water. It really is all a movement forward. And I'm just trying to think about the story you shared, and I appreciate you sharing that with me about your team. Is that, I mean, that's something to be so proud of. And I think that's why we all love what we do in this community, is we're all willing to help each other. We've all been in these moments where you're just like, what is happening? And you just have to figure it out. And then three, it's almost like we are giving back in some capacity, whether you're a vendor or you work at a firm or you're an asset owner. one way or another, you have some impact and touch and motivation on the mission. And that's something to say that you can be proud of when you tell people. So it's an awesome feeling. Aaron Crow (51:19.308) Well, it's part of that. It's one of the things I love about the cyber community in general. Obviously the OT community is even smaller. But it is that I really see it as a community. Most of the folks in here, you you have your outsiders or whatever people that are in it for a different reason. But most of the time I find that most people are open. Like you could call me or I could call you and you would help. Like you would answer my call. You would answer a question. Kam Chumley-Soltani (Armis) (51:25.061) Mm-hmm. Kam Chumley-Soltani (Armis) (51:42.308) Mm-hmm. Aaron Crow (51:45.666) without any expectation of something in return, right? Even if we were competitors, like it's just, that doesn't matter. Like we really see this as the greater good. Now, obviously I'm not gonna give you things that I can't share, but as long as it's within reason, and I find that across our industry, which is great. It's one of the things I love about what we do and go into conferences and doing that stuff because the community is really strong. Kam Chumley-Soltani (Armis) (51:45.722) Mm-hmm. Kam Chumley-Soltani (Armis) (51:49.52) Yeah, 100%. No. Kam Chumley-Soltani (Armis) (52:01.914) Thank Kam Chumley-Soltani (Armis) (52:05.276) Yeah. Mm. Kam Chumley-Soltani (Armis) (52:12.612) Yeah, in some capacity where I'd say most of us, if we don't know each other directly, it's just one hop away. We all know each other in one way or another. I it's almost like, remember, man, I was gonna say a couple of weeks, must be a couple of months now. I went, sharing the story for the viewers, but I went to a conference that had, it was a construction management conference of firms and engineering firms. And I went and I saw the ICS Village. Aaron Crow (52:18.254) Correct. Kam Chumley-Soltani (Armis) (52:39.887) wall there and I remember talking and I was yapping and very loud and energetic like I always am and then all of sudden I see Aaron's head pop out with this big beard, they all excited, runs up, jumps, gives me a bear hug and what's really interesting is Aaron and had seen each other a couple of conferences before but hadn't had the chance to really sit down for an extended amount of time but wherever we went it was always that sort of love and support. And all in all, think just like an overall respect and camaraderie, hey, we're in this together. We all work in this to a common mission and it's something you can really appreciate. So it's a good example right there. Aaron Crow (53:17.206) Absolutely. Well, hey, we've, we've, we've talked about a lot of fun, fun and exciting, and maybe even a few scary things and I'll wrap it up. And I think we probably have talked about this before, but I'm going to, I'm going to ask it. Cause I always ask this question to everybody in the next five to 10 years, what's, what's one thing you see come up over the rise and that may be scary, you know, that's concerning or, and the other other side is what's one thing that that's exciting. Kam Chumley-Soltani (Armis) (53:24.354) Yeah. Aaron Crow (53:40.546) that you see, you know, that that's going to potentially impact our, our environment, our network, our security, our people, our process, whatever that may be. Kam Chumley-Soltani (Armis) (53:41.966) Mm. Kam Chumley-Soltani (Armis) (53:49.334) Yeah, sure. I would say the scary piece of it to start off with, because I always like getting on a really positive note, is we're seeing it every day right now for geopolitical issues. And it's so, so unfortunate. My heart goes out to all the people that have been impacted on every capacity of infrastructure being attacked. And it's becoming more more rev-revelant. it's just something that, you know, imagine waking up without power or imagine waking up without any comms or God forbid kinetic warfare that has secondhand effects. And I'm terrified about that. You mentioned a little bit of it earlier, but I generally believe majority of wars going forward, and not to mention the ones already, unfortunately, that are happening today, are gonna have some sort of touch on critical infrastructure. So that scares the jeevers out of me, just being straight up. And then maybe switching over to a positive note is we talked a bit about this too in the very beginning is, Aaron Crow (54:38.498) Yeah. Yep. Kam Chumley-Soltani (Armis) (54:47.32) from a regulation, a regulatory standpoint of yes, the teeth hurt and as long as we can have a fine balance between what that looks like, I'm actually really hopeful and positive about the way that our industry is going, not only to protect the actual infrastructure itself, but to all the end consumers and constituents of state and local governments and our militaries and everything else. And I think in five years, it's only going to expedite even further. And sure, there might be some growing pains, but where we're at today and where our posture is at today, might be a necessary pain in order to have a successful longevity of how we defend our infrastructure in multiple different ways. Aaron Crow (55:29.134) Yeah, 100 % man, 100%. So how can people find more about you? Where are you going to be? Find more about Armist? Like this is the call to action for folks that have gotten to this part. Give them all the juicy details. Kam Chumley-Soltani (Armis) (55:41.258) Yeah. Oh boy, I tell you what. Okay, well first off, thanks for sticking with us this whole time. I want to start by saying, Aaron, really appreciate you having me. I know we tried this 15 times or whatever it might be, eight times and the number was seven or eight. But just to reiterate, I'm Cam Tremley, Cam Tremley Soltani. You can find me on LinkedIn, whether Armist related or not. Again, this is a community thing. You can reach out to me anytime and I will make time to talk to anybody. And if you send a message to me and I don't respond, message me again, and I love the reminder and keep me honest, because I'm here to help. And in our capacity, hey, I'll tell you what, we're moving fast and for a good reason, and we're busy for a good reason. And our mission really is that to go through and protect critical infrastructure, IT, OT, medical IoT. The product is absolutely insane. I mean, we have over 260 integrations, a lot of them that are bidirectional. have pass discovery, we have smart active querying. We can deploy wherever an organization is at, Flyway Kit, SaaS, Hybrid, On-Prem, you name it. But I think most of all, what I'm most proud of is the fact that we are dedicated to the community. So not just showing up and selling a product and walking away, providing a solution and advisory capacity where they can reach out. And it's actually pretty cool for someone to message you on LinkedIn, just randomly, like, hey, talked to the other day, really like what you're talking about, can I just pick your brain about something? And that's the relationship that we provide. That's the plug, not only for me as an individual, but where I'm at working and very proud in the capacity at Armist. I'm here and we're here to support and whatever that looks like. And I just really appreciate the time today. Aaron Crow (57:18.914) Yeah, man, I appreciate it. that's the, I think that's the key to success and whether it's industry or obviously our personal brand is having that openness and doing it for more than just to sell or a transaction, whether it's an individual transaction or whatever. giving, the funny thing is, is when you give, usually receive more than you give in the first place. And whether that's in a business or in a personal relationship and, Kam Chumley-Soltani (Armis) (57:31.223) Exactly. Kam Chumley-Soltani (Armis) (57:41.462) Right. Kam Chumley-Soltani (Armis) (57:45.89) Mm-hmm. Aaron Crow (57:46.114) I see that being super impactful, right? So same thing with me, right? I'm always an open door. You know, I'm very busy. That doesn't mean that if I don't respond to you, it's not because I'm ignoring you. It may have gone to spam or it just got lost in my list. So hit me up again, like follow up, don't take it personally, just reach out and just go for that for anyone. Like I said, this community is very, very good about that. know, Rob Lee is known. Kam Chumley-Soltani (Armis) (57:51.725) Mm-hmm. Mm-hmm. Kam Chumley-Soltani (Armis) (58:00.919) Yeah. Kam Chumley-Soltani (Armis) (58:06.794) Exactly. Aaron Crow (58:14.626) probably the CEO of Dragos is known for directly responding to people that reach out to him on social media, things like that. It's really cool to see no matter if you're the CEO of a company or you're an entry level analyst and everything in between. Just reach out, ask for help. How can I get things? How can I, I'm having this problem or I want to get this job or I want to get an OT or whatever that may be. We're all willing to have it. We've all been in that seat, right? I started out somewhere. You did too, right? Kam Chumley-Soltani (Armis) (58:21.547) Yeah. Kam Chumley-Soltani (Armis) (58:33.868) and I'll Yeah. Kam Chumley-Soltani (Armis) (58:43.255) 100%. Yeah, yeah, exactly. like, really is, again, having the captain of the ship to help steer you along the way. And you mentioned one already, like Rob Lee leading the way, Nadir Israel leading the way, some really great people, Del Peterson. I mean, there's so many people in the community, down from executives all the way down to the operators themselves. And we're here to help. mean, I think when you say this, people always kind of cringe a bit, but it really is a family or a better word for it. It's a community. We're all driving board. Aaron Crow (58:52.12) Yep. Yep. Aaron Crow (59:08.908) Yeah, absolutely. Hi bud, I appreciate your time. Thanks for taking it. Since we both live in Austin, we definitely got to get together. I we've talked about it. We've got to actually schedule time and do that. So let's make that happen the next not too long, distant future. Kam Chumley-Soltani (Armis) (59:12.14) Yeah. Kam Chumley-Soltani (Armis) (59:20.374) That's right. Kam Chumley-Soltani (Armis) (59:23.86) Yeah, yeah, you got it. My pleasure, man. Stakes on that stakes in the roadmap for sure. OK. Aaron Crow (59:26.508) There you go. Awesome brother. We'll definitely reach out to Cam and take him up on that offer y'all. Have a good one. Appreciate y'all's time. Kam Chumley-Soltani (Armis) (59:34.87) Thanks everybody, cheers.
Previous Episode
Next Episode

Other Episodes

Episode 45

February 10, 2025 01:12:29
Episode Cover

From Navy to Consulting - Dan Ricci's Unique Perspective on Bridging Security Gaps

In this episode, host Aaron Crowe speaks to Dan Ricci, founder of the ICS Advisory Project, to delve into OT cybersecurity. Dan brings a...

Listen

Episode 8

April 04, 2024 01:07:45
Episode Cover

Securing Our Future: The Cyber Challenge in Aging Infrastructure

Summary The conversation covers the challenges and risks associated with aging infrastructure, particularly in critical sectors such as power generation and water treatment. The...

Listen

Episode 23

August 26, 2024 01:06:59
Episode Cover

Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville

In this insightful episode of Protect It All, titled "Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville," host Aaron...

Listen