Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville

Episode 23 August 26, 2024 01:06:59
Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville
PrOTect It All
Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville

Aug 26 2024 | 01:06:59

/

Hosted By

Aaron Crow

Show Notes

In this insightful episode of Protect It All, titled "Why Cybersecurity Matters: Protecting Our Food Supply from Digital Threats with Kristin Demoranville," host Aaron Crow and guest Kristin Demoranville tackle the critical yet often overlooked role of cybersecurity in the food and agriculture industry.

Kristin stresses the need to shift from reactive to proactive cybersecurity measures to protect our complex food supply chains and ensure resilience. The discussion covers real-world cyber incidents like the ransomware attack on JBS meat company, emphasizing the human factors, financial misconceptions, and the necessity for robust incident response and business continuity plans.

Listeners will also learn about the dangers of excessive reliance on technology and automation, the significance of water conservation, and the importance of integrating OT security in data centers. Through professional insights and personal anecdotes, Kristin highlights the crucial need for community support within the OT landscape.

This episode offers a comprehensive look at the cultural and societal implications of cyber threats to our food supply, making it essential listening for anyone interested in the safety and security of the food industry.




Key Moments: 

 

00:10 Training and spreading awareness about operational technology.

10:21 Agriculture lacks attention; needs OT cybersecurity focus.

15:26 Security professionals foresee major food safety risk.

18:04 Supply chain issues during COVID highlight concerns. Regenerative farming and feeding the population.

24:04 ICS OT industry united in game proposal.

27:35 Designing systems must consider cyber risk implications.

34:11 Cybersecurity often an afterthought in many companies.

41:47 Respectful, supportive, and geeky cyber community advocate.

42:58 Texan upbringing shaped love for celebratory food.

51:10 Concern over CrowdStrike blaming and finger pointing.

57:16 Operator scans RFID tags from break room.

59:24 Resisting a wasteful task, leading to change.

About the guest : 

 

Kristin Demoranville is the visionary founder and CEO of AnzenSage, a cybersecurity firm specializing in the food and agricultural industry.  She also leads as the CEO and co-founder of AnzenOT, a groundbreaking SaaS OT Cybersecurity Risk Intelligence solution.  With 26 years in the tech industry, Kristin seamlessly blends cybersecurity with food protection culture, always emphasizing the vital role of people and processes.  Her extensive background—ranging from collaborating with Fortune 500 companies and various manufacturing sectors to studying gorilla behavior as part of her Environmental Management degree—gives her a unique and well-rounded perspective on cybersecurity and critical infrastructure.  A published expert and in-demand speaker, Kristin is known for bridging the worlds of food protection and cybersecurity.  She’s also the host of the Bites & Bytes Podcast, where she drives meaningful conversations between professionals across food, cybersecurity, and technology.

 

Anzensage Website : https://www.anzensage.com/

AnzenOT Website : https://www.anzenot.com/

Bites and Bytes Podcast: https://www.bitesandbytespodcast.com/





Connect With Aaron Crow:

 

Learn more about PrOTect IT All:


To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Awesome. Hey, thank you for joining me. Kristen. Why don't you introduce yourself, tell us who you are and what it is that you do. [00:00:25] Speaker B: Okay, great. Thanks for having me on the show. I am Kristin Demaranville. I am the host of Bites and Bytes podcast. That's bytes like you bite something and bites like computer bites, where I talk to cybersecurity and technology professionals and anybody else in the food and agricultural industry about cybersecurity and technology and what that means to our food supply. It's a really fun show, so you can check us out. I'm sure you'll have that in the show notes and all the fun things. Also, we're kind of doing a joint episode here, so it's one of those things that welcome to my listeners as well. But what I actually do, I am the CEO of ANZ and sage, which is a cybersecurity firm that's focused on the food and ag industry, mainly risk management, OT related assessments, those kind of things. Trainings, lots of trainings. I keep writing lots of trainings on what it means to be a cybersecurity professional in the food industry and how to be a better food professional and with cybersecurity knowledge. So that's kind of cool. And then the other thing, I am, I'm also CEO of Anzan OT, which is a OT resilience intelligence management platform. Risk intelligence, really. It features different things like cyber PHA assessment, scenario building playbooks. Lots of really cool intelligence. Things behind it is new on the market. We are a new startup, so come check us out there. I'm happy to talk about that all day long as well. [00:01:58] Speaker A: Very cool. Well, and for your listeners that maybe don't know me, my name is Aaron Crow. I've been in cybersecurity and network security and this ot thing before it was ever called that. I grew up in working in critical manufacturing, power utility, a lot of those critical infrastructures. I actually do have some experience in the ag side as well. I'm from Texas, so, you know, there's a lot of plants and things like that in this. In this space from. From chicken plants and a lot of. A lot of, you know, rancher, ranchers, et cetera. Right. So, you know, I also have a podcast, protect it all and emphasizing Ot. And it. I do emphasize a lot of that in the OT space. But as we talk about this stuff that I had this conversation, this is what, the 14 August that when we're recording this, and I just came back from black hat and Defcon, and I had so many questions. And I work in the ICS village. I'm a volunteer in the ICS village, which is a nonprofit. If you don't know about that, definitely check it out. ICS Village is great. They do a lot of training and nonprofit things to kind of spread the word for operational technology and the importance of it. But a lot of the conversations I was having at Defcon, I've got this really cool blinky light ot wall that's got a, you know, a PLC and secure mode access and a firewall. And it's really just a conversation piece to help people understand. And I got so many people. This is 2024. And there's so many people that came up to me and were like, what is this? So I said, oh, well, this is, this is ot in a box. What's ot? And I'm like, oh, okay. Like, we still many of them. And I love the question. Like, I'm very glad that they said, I don't know what that is. Like, some of them were like, I've heard of it. I don't exactly know what it is. So it was a. It was great to just be able to have that conversation, explain it. And there was one gentleman that he was going for his PhD, his dissertation, and he was writing this dissertation from an it OT convergence. We hear that all the time. I know my face did the same thing when he said it. And we had this conversation. He's like, well, I think ot, and it have already converged. And I'm like, really? Like, explain that to me. He's like, well, the technology is the same, okay? I'm like, he goes, ot now all has iP, so that means it's it. And I'm like, oh, no. So I had a 30 minutes conversation with this gentleman about why I feel that Ot is different than it. The technology is the same. Like, we see VMware and network servers and switches and all that kind of stuff that we have seen in it now in OT. But the difference is what we do with it and what it impacts, right? And the implementation of policies. I can't just take an it policy and push it into ot because it breaks stuff. It just doesn't work. And we've seen that, and it doesn't matter. The vertical. You're in agriculture, in power, utility, in oil, and gas and wastewater, it doesn't work to push it down in that way because it breaks stuff. And it's just a different, a different way. Like, we just saw this crowdstrike. I talked about the crowdstrike incident a thousand times this week. That's a great example of, I can't, I should not be patching or pushing updates to my OT systems. Just, hey, send it all. I should be sending to one at a time so that I can test and make sure, like, we should all have a testing plan. And it's not a crowdstrike issue. It's a, it's a policy. It's the people and process side of people, process and technology that are really the biggest difference in OT versus it. So that was my long rant of who I am and what I do and why I'm so passionate about this thing that we talk about. [00:05:37] Speaker B: I think that the biggest difference between it and OT, and I may be a little bit more blunt than you in this regard, but I always say, well, it's more about data, right? [00:05:47] Speaker A: Yeah. [00:05:47] Speaker B: And ot is about safeguarding lives. We could kill somebody. It's not necessarily going to kill anybody. Right. [00:05:53] Speaker A: Yeah. [00:05:54] Speaker B: So it's a different mindset altogether where you're focused more on the people process side and the tech and ot, but we want to make sure it just stays up and available so, you know, someone doesn't fall into a VAT and gets, becomes part of the muffin mix, you know, or they don't get electrocuted, or they don't drown, or they don't do anything that's awful and horrible, and nobody ever wants to go through that. And it isn't dealing with people's lives necessarily. [00:06:20] Speaker A: Right. [00:06:21] Speaker B: Probably is a little crossover there somewhere. But generally speaking, when I worked in it, I was never worried about people's lives. I was more worried about my own life and being assaulted by an end user because they were upset. That was really probably my biggest thing there. OT. I was worried about me catching on fire, watching somebody else get caught on fire, and all these other things happening around it. And I go back to those analogies because I think that's how it works a lot. We have to just keep talking that way to find that connection, that relatability convergence. I cannot stand that term. Like, it's right up there with air gapped and a few other terms that we say a lot. Yeah, it's silly. We gotta stop putting terms on everything because it's not helping. It's just becoming more of a problem where we just need to focus on trying to protect and safeguard lives, along with making sure that all these services that we support stay up and running, because we like running water, we like electricity, we like the food that's on our plates. We like that we can just go to the grocery store and buy whatever we want, whenever we want, because there's no seasons in a grocery store now, those kind of things. And that's why I love working in the industry, because I feel like I'm having an impact. I'm sure everybody in OT can say this. Ics is we feel like we have an impact on the greater good. And if you said greater good back, we're best friends, by the way. That's the response you do? [00:07:44] Speaker A: Absolutely. [00:07:45] Speaker B: Yeah. Yeah. And that's. That's how I feel about, especially the food industry, because it touches so many aspects. All the suppliers, the third parties, things you don't think about, like the containers that food comes in, that has to be done in a food grade level in terms of manufacturing, how. How we're interacting with the food, food safety aspects, all these different things. I just. It's like a jigsaw puzzle. I love it because it really expands your system thinking. And you have to realize everything is in a holistic sphere. And I think that's what we do as ot as well, is we're like, oh, if something goes wrong here, up here at, like, you know, 03:00 is that gonna be really messed up? If 07:00 is messed up, like, obviously this is gonna cause a problem with the hole because we all understand how production works, because it's all the same, right? It doesn't matter what you do. I mean, it's the same type of thing. Materials come in, they get mixed up and kicked out the other way. But that process in between, the thing that's the most important and the biggest issue is the people in the process. This technology is not going to cause the problem. It's people. And they'll circumvent everything we do to make sure it gets done, because they don't care. They just want to get their job and go home. Right, right. [00:08:52] Speaker A: I. Well, and it's always been that way. Even. Even back when I was an IT person, my first job in it was like a desktop support. And, you know, our joke was always like, if we take the users away, my job would be easy, right? Because. Because I can make the technology work. It's the people that cause my problems. Like, they. They're clicking on something. You know, this is way back in the day, dating myself, but, you know, the old school desktops, the big tower things, and we would literally have people use the CD ROM as, you know, coffee cup holders, and then their CD ROM tray would break off. And we don't have CD ROM trays anymore, or even cds for that matter. [00:09:30] Speaker B: We're dating ourselves now. Oh, my God. So funny. End users are the best and the worst at the same time. They're the best line of defense and the worst. I once walked into a factory. I think it was a media factory. So made like DVD's and cds and games for consoles and things like that, which still exists. Console games apparently still exist. I didn't realize they were still making them. And their help desk that was on site actually had a sign that said, if you ask a dumb question, I will light you on fire. I just, I died because I was like, wow, first of all, hr violations for days. But good for you. Like, you set the pace of what's going to happen when someone walks in that room looking for help. So I can appreciate the end user comment. [00:10:21] Speaker A: Yeah. And it's the same in any industry. Right. But speaking of, so I know you spend time and a lot of time in the agriculture. Before we started recording, we kind of talked about how it doesn't get as much limelight as some of the other, more popular, I guess, is might be not the right term. Critical infrastructure, power, utility, oil and gas, even wastewater and water. But there are 17 critical infrastructures in our country deemed by DHS and department homeland Security. So why do you think. Two things. Why do you think that agriculture doesn't get the attention that it may deserve? And secondly, what are some of the common problems and maybe even unique problems that agriculture has in the space that we need to make sure that we're thinking about from an OT cybersecurity perspective? [00:11:13] Speaker B: This is such a big question and I don't have the right answer. So I'm just going to kind of give you some train of thought on it. [00:11:18] Speaker A: Sure. [00:11:19] Speaker B: Agriculture and the food industry as a whole wasn't added to the critical infrastructure number for CeSa or Homeland Security until 2020. That wasn't that long ago. That is disturbing. First of all, I think it's a kind of a twofold issue where people think that the food industry doesn't have any money, which is hysterical because, I mean, Mars just bought part of Kellogg's today, right, as of today. And that was a $300 million deal, I believe. I don't quote me. I will sure notes, but it was something ridiculous. So tell me again there's no money in the food industry. Also, I believe, the largest payout for ransomware to date that we're aware of, and I say that loosely because we don't know at all, was the food industry. So there's money. So I don't buy that really very well. I think the actual reason is because nobody's got a handle on what the actual supply chain for food looks like. And that was shown very clearly when the ransomware for JBS hit the meat company because it was awful and still is. I was actually just speaking to some people from the cattle industry last week, and they were expressing their frustration of just how difficult it is to manage their supply chain. So what if a supplier gets hit like JBS? How do the grocers purchase any meat? They can't purchase it from them. So where do they go? Is there a backup plan? You know, there's all these questions. And I went even further and said, well, what happens with JBS? Because the cattle couldn't get slaughtered in time. So then you got cattle that's standing in trailers or holding pens. You can't retract them to the farm because they don't have feed or space for them, probably by then because they've already rotated. There's all these. So who. Who does the burden fall onto? The rancher? Oh, God, I hope not. You know? [00:13:12] Speaker A: Right. [00:13:12] Speaker B: Does it fall on the distributor? They don't have overflow pens necessarily. Nobody's ever tested their backup incident response plans. There's no disaster recovery. There's no BCP, because people just think, oh, well, you know, it's like business as usual. We're just going to lean on people around us in the community. But the community has shrunk because we're losing agriculture jobs every day. [00:13:36] Speaker A: Yeah. [00:13:36] Speaker B: Because people are moving to cities. It's not as popular anymore. It's trying to get a little more trendy, I'll be honest, around, like, regenerative agriculture, because you can be a total nerd and geek and still farm because now you can bring your cyber truck out to move your chicken houses, which. Which looks sexy, right? Like, not that sexy, but it's just the concept of it is sexy. [00:13:58] Speaker A: Yeah. [00:13:58] Speaker B: You could use, you know, you know, hybrid cars or plug ins to do that work. So that kind of is attractive, obviously. It's like I've been kind of joking around. It's like cyber farming, you know, in a way. But I'm. Don't quote me on that, because if somebody brands that, I'll be like, but those kind of things. People just don't have a good handle on the supply chain at all because it is huge. And instead of actually, and I say this all the time and I rip this off, a friend of mine that's an OT in the UK, but we literally keep trying to boil the ocean, find that silver bullet moment when we just need to sit down and make a cup of tea. [00:14:35] Speaker A: Right? [00:14:36] Speaker B: And if we start focusing on the smaller aspects, like, you know, people process, because honestly, it's probably the easier and less expensive to deal with and then move to, okay, we got these technology that are in these environments. What are we doing with them? There are companies out there turning tractors into autonomous vehicles via like, a little kit that's otics. Like, hello, does the industry know that? Did you know that, listener? Did you know that? Like, that's that stuff. When I hear that, I'm like, oh, my God, did anybody talk to the security teams around these? Like, the farmer doesn't have a security team. The farmer is enough time for that. They are just happy if they break even and make some profit at the end of the year. Like, that's what they want to do. Keep their families fed, the lights on, their cattle fed. Like, that's it, right? It doesn't have to be more than that. But here we are as security professionals who have been in the industry long enough, both of us, and we know just how bad it's going to get because nobody's been dealing with this. So, Mike, my worry, and I know I'm jumping your question set so everybody get it. What my worry is over the next, you know, three to seven years, roughly, is that we're going to have such a major foodborne illness issue out of the food industry because of some cyber attack that hit, whether it's nation state, bad actor, disruptor brand disruptions, whatever, that we're going to be so rattled that we're not going to know what to do. [00:16:02] Speaker A: Yeah. [00:16:02] Speaker B: And we're going to do the wrong things. We're going to put a band aid that needs to be a stitches situation and it's just going to make the supply chain even worse. And that's my concern. And I've talked to a few food safety experts who've asked me on air, literally, hey, how many bodies need to be on the floor before somebody does something? And my response back was probably a lot. And I hate to say that out loud, and the person who asked me that actually lost a child to E. Coli poisoning. So it was this really personal moment of, I'm sorry, to say, I just think we're not smart enough to deal with it ahead of time because people don't like being proactive. They just want to be reactive because for whatever reason and that's, that's frustrating. And I'm about to use some buzzy terms, so everybody just brace. But we need to move away from being in recovery mode all the time to being resilient, especially in the food industry. And that's what I constantly go in and talk about. You're going to get hit with an attack. I don't want to hear that you're not because you are. Are you prepared? And the response back is, I don't know, that's bad. Let's get on it. You know, like, that's, let's just not even think about it. I actually, as an owner of a software company, I actually got hit with a brute force attack a couple weeks ago. And instead of freaking out, we quickly triage and everything was fine. We didn't have any issues. No breaches happened, nothing like that. But I actually, afterwards, I had this cackle laugh for like five minutes with like, tears because I was like, we're legit. We got hit because you got to turn it around to be like a positive in a way. Like, oh, yeah, we're cool enough to be hit. Like, right? What did we do? Yeah, we, you know, whatever we're doing is, must be working our brand. [00:17:45] Speaker A: Keep it going. [00:17:46] Speaker B: Keep it going because we're doing well. And I think if people started looking at it from that, almost a comical mindset, they might be the laser to roll through it. But I am very worried about our food supply chain. And I'm not just speaking about the United States. I'm speaking globally because it impacts globally. It's not just here. [00:18:04] Speaker A: Well, and we saw so many supply chain issues during COVID like, it really brought to, it brought to bear how bad our supply chain in general was. We're already concerned with global warming and population and all of these things. The way that we do farming today with. They talk about how our top soil is. We have limited, yes, we're limited in how we can do that. And regenerative farming is the way of the future. But how do we feed everybody with that method? And there's just so many things that go into that, but just basic. Again, you hit on something that I repeated probably a hundred times this week in all the conversations in Vegas, talking at black hat and defconous. And it's ot a lot of the times, it's not sexy. The things that I need to do in the very beginning are not AI and quantum computing and all of these fancy buzzwords. Most of the time, it's very basic. You know, do I have a recovery plan? Do I know where my critical assets are? Do I have an asset list? Do I have a recovery option? Have I executed that thing? Does everybody know what part they play? It's. It's usually basic. Basic, you know, tackling. Right. And it's not all technology based. Maybe, let's say it's 50%, which I don't even think it is, that less than half of it is finding a technology solution, which there's some of the, the vendors that I work with that don't like it when I say that. I'm sorry, but it's the truth, right? There is no product I can grab off the shelf that's going to take away all the risk if I install it in an OT environment. I wish there were, but there's not. There is just not. [00:19:48] Speaker B: There isn't. And there's no real collaboration there. It's getting better. I shouldn't, sorry, I shouldn't say that because a lot of the OT products want to work together in some type of a collaborative environment, but they're still like, you know, this is mine, that's yours kind of thing, which is fine, whatever, I get it. But there's no. How is an end user supposed to navigate all these products when they're already working on slim margins and, and whatnot? You know, this being in the utilities, there's no money, like, money's allocated out. It's forecasted to hell. The food industry is the same way. And everybody runs on slim margins and slim production because they want to get things moving. They call it efficiency. They bring in just product enough that they have to get in and then push it out. It's ever anymore. So there's no spoilage or overflow. The water industry actually is learning how to feed itself, as I say, where they're selling their greywater to data centers that are close by to them. [00:20:42] Speaker A: Sure. [00:20:43] Speaker B: Brilliant, brilliant strategy, right? But that now means that ot is in data centers even more than it was before. Has anybody thought about that? Because your cloud needs ot. Like, hello, it's pretty obvious, right? And the water guys need more, more love because they don't get any either. And I will advocate for them until I turn blue in the face as well, because we need water for so much stuff in the food and ag industry, obviously. And we already have droughts everywhere. So there's that moment as well. Glaciers are melting, we have droughts, global warming. Fun times. [00:21:21] Speaker A: Well, a friend of mine is, I won't name the name, but a friend of mine works at a social media company with a very large data center. There's quite a few of them. It doesn't matter which one it is, but they have millions of PlC's. Millions? [00:21:35] Speaker B: Oh, yeah. [00:21:36] Speaker A: Controlling all sorts of things, from temperature to pressures to, you know, lights and air conditioning and val, there's so much, there's halon systems and all these different things. Buildings have ot, like any skyscraper, even. Not even a skyscraper, just a normal building you walk into. There's controls around sprinkler systems and all these different things. Ot is everywhere. We just didn't always classify as such. Like, it's a new term, relatively new term. It's been around forever. We've been doing automation since the fifties and before, really, but automation has been around. We've just started putting the technology side and putting ip addresses on it. So we brought these other risks into this space. But the OT's been here for, I mean, my dad worked in power utility for 40 something years. He's in his mid seventies now. He's been doing this this whole time. He was never cyber related. It was always control systems and control engineer and, you know, automation and instrumentation, you know, even continuing, you know, emissions monitoring as that came in to be a thing. But all of these things have been around for decades. We're just solving new problems to old new, adding new problems to existing and older problems. [00:22:51] Speaker B: It's true. And I have a similar situation. My dad was a fireman for 45 years, and that was all industrial equipment and PlC's and various other things. And he never really made the connection until I, when I did. And then he kind of was like, huh, so you're like a chip off the block kid, aren't you? Like, this is like a continual theme. I said, yeah, civil service clearly runs the family, dad. [00:23:13] Speaker A: I mean, exactly. [00:23:14] Speaker B: That's really kind of what we're doing in civil service. But yeah, no, absolutely. The more we added tech into these environments, and I mean tech by like Internet ready Iot, that kind of stuff, the more we turned all these legacy devices onto the Internet. They were like, whoa, what is this? I don't, I don't know if I like this space. I might cause a problem now. You know, like it was, it's kind of like you gave your grandparents like a cell phone, right, or a smartphone, and they were like, what is this? And also they started falling for all those scams. It's kind of the way legacy tech works, you know? It's sort of just like, oh, hey, you're my friend. Come on in. I don't know you. Like. And the problem is, we didn't put any guardrails around that at the beginning, and now we're still kind of digging out. And it's so funny because you go around the world and it's the same everywhere. [00:24:03] Speaker A: Yeah, it's. [00:24:04] Speaker B: No, I mean, that's. That's the united front for us. Like, it's. It's really quite brilliant in that regard. I thought I was going to deal with it less in certain countries than I did in others. And, nah, it's the same all around. We can't get people in process. Right? That's what keeps messing it up. But I do absolutely adore this industry. I think that we're a great group of people. I also think that we should start some type of a. A game, because you just gave me an idea about how we'll be in a place like Vegas or wherever we are at a good security conference and play the game of, like, kind of like a bingo game or like a trivia game. Like, name all the ics ot equipment that's around you. [00:24:43] Speaker A: Right. [00:24:44] Speaker B: You have. Here's the number. It's about 150 or something like that, right? Find them all, like a scavenger hunt, right? Yeah, I think that'd be cool. So if somebody does it, let us know, because we totally want to participate and probably dominate it and win it. I just. That's how I used to do it, too. When I be sitting around with people who didn't understand, I said, well, where we are right now, I can count at least six devices that are close to us that run that type of equipment, and they're like, well, I don't understand. I said, that elevator, that alone, like, you know, that kind of thing. And it's. It's so interesting watching people realize, like, oh, well, I've worked with that kind of equipment before. Well, you've been an OT then. Like, that's. I'm not saying you are an OT person, but you have worked in it before. I actually jumped into OT at a bakery company, and I didn't even make the connection. I was doing ot because I was doing it. We didn't have an OT department. We were the OT department. But I didn't know all the really cool technology names and bells and whistles and things. I just was like, yeah, the thing that goes over there and doesn't kill anybody. Like, that's what I recognized it as. And realizing as I moved through my career, I was like, oh, I've been an OT for a while. Yeah, okay. Like, that's fine. But I enjoy it because we're protecting people. It's not just about the data, because data is sexy. Don't get me wrong. It's like, you know, the new gold, and we all love it because it's cool and gives us good things we can look at. But the idea to be able to sit at the end of the day and realize that you helped save someone's life and kept them to go home to their family, like, that's amazing. Like, that feels really good. Really, really good. And I want to continue to do that, especially when it comes to food, because we're like a breath away from a foodborne illness, because we don't understand food security around the tech that's in these environments. And we just keep adding more stuff because digitalization is a huge thing in the industry. [00:26:33] Speaker A: Sure. [00:26:33] Speaker B: They've been automating forever. If you think about the food industry as a whole, how it's come up. We originally were the ones plowing the field, and we attached the cattle or whatever, horse, and then we moved to the tractor and da da da da. The food industry has been innovating forever. They're great innovators. R and D is fantastic. We have lab grown meat now. Hello. Like, these are things that are, like, kind of crazy. We can 3d print a salmon. It would be pea protein, but we can do it. So, for me, why aren't we attaching cybersecurity to technology more? Yeah, and I don't want to get into the whole product security conversation because that's a whole different rabbit hole. And I blessings upon the people who do that work. But why aren't we having more of that conversation inside of these environments? It's because cyber needs a rebrand for OT. We literally cannot explain what we do very well. And I think if we could, we'd probably win more hearts and minds for that people process aspect, for sure. [00:27:35] Speaker A: Absolutely. And the talk I gave it at Defcon, actually, in the ICS village, was about cyber informed engineering, which came out of a term came out of Idaho national labs, which is a doe sponsored laboratory. The whole concept around it is we need to build cyber as part of the overall system and integrate that. When I'm designing the system, cyber needs to be considered. Right. We've got old equipment, we've got legacy equipment. We've got new equipment anywhere in there. We need to be considering cyber as a risk and as a part of our remediation. How are we going to recover when we say cyber? People that are outside of this, or even people at Defcon and black hat, when I had this conversation, they immediately think, well, I mean, they're state, you know, North Korea, China, whatever. It doesn't necessarily mean that it can be simple ransomware. It can be misconfigured hardware. It can be insider threat. Like, there's a lot of things, and it's not always bad actors from another country that are, you know, trying to attack us and start World War three. Some of them are, but not all of them. [00:28:43] Speaker B: Yeah, I know. Exactly. And I think we have to think beyond it inside of the OT environment. So I'll give an example. Right. And people can think what they want with this one, too, please. I would love to hear thoughts around this. You have an allergen issue inside of a factory. So you have a peanut area and a non peanut area. You have a disgruntled employee that goes from the peanut area to the non peanut area. Whose problem is that? [00:29:07] Speaker A: Right. [00:29:07] Speaker B: Food safety, food defense. Absolutely. You get that problem, but it's also cybersecurity's problem, because with the industry that we work in, food and egg, cyber physical is still cybersecurity to me. Physical security is still cybersecurity to me. That access control should have been managed better, whether it would have been biometrics. If you could do that without gloves or those kind of things, eye scans, badge readers, that's cyber. And it. Which is also could be connected to OT, depending on your access level, control where you are. Cameras. There should have been cameras. There wasn't a. I mean, the only reason they found out is because they did some testing on the other end from quality, and they realized, oh, whoops, we have, you know, peanuts in our cookie, that we shouldn't have that go after this major retailer, which they lost that retailer because that incident, because they lost face. It was a mess. It was a total brand incident. Total nightmare. That, to me, is something that cybersecurity and ot should have been involved in. It shouldn't have happened in the first place because they should have set up parameters to get around that, you know, not to ever happen. And then on top of it, we should have had that conversation. We should have been part of that conversation. That bothers me a lot that we don't think that far, because that's a resilience piece, because people are like, oh, well, that's not. That's not an adversary, that's not a cyber attack. It's an insider threat. To me, describing this incident to a food defense professional, they literally said, that's terrorism. They would class that as terrorism on their report. And I went, wow, so that's like domestic terrorism. They're like, yeah. And I'm like, whoa. So now we have a whole other level of things I didn't understand at that time. And now looking back on and thinking about the system as a whole. Yeah, we have a stake in this. We have responsibility. Access control is our problem. And I've had to define what a cyber physical system is multiple times recently. I thought it was self explanatory. Sorry, I'm not picking on people who don't know, but I literally have had four people in the last two weeks ask me exactly what that is. And I've been on air when it's happened, and I'm like, well, it's something that can get on the Internet. Like, I guess that's how the best way I would describe it to you. It's something that could be both physical and cyber related. So push a button, pull a lever, but you gotta sit on your couch and push a button on your phone, you know, and people are like, oh, cyber physical. Wouldn't that just be Iot? I'm like, not necessarily. [00:31:33] Speaker A: Right. [00:31:34] Speaker B: So it's a. We've got some. We've got some branding term issues we need to deal with in order to make this more mainstream, even though it is mainstream, because we all eat and we all work and around this a lot. And I don't. I don't think it's us. I don't know. I don't know what it is. But we need kind of a rebrand in the OT side to be able to start communicating what we need in order to serve the companies and the people that we do. Because we can sit in a room all day long and geek out and get excited. We do. Every time we're at a conference together, everybody's like, whoo. I will say that otics conferences are my favorite. Not because I'm biased, because I'm in the niche, but we have a different conversation. It's not. It's personal. It's almost intimate because we understand the human factor here differently. And we look at it like that in a very severe way. And like you said, it's not sexy all the time. We have to wear more protective gear. That makes us look crazy all the time. I mean, you have hard hats behind you. I mean, I have had to wear multiple hair nets and, like, basically a shield. And you have to, like, put yourself into a zip up, like, white suit. Like, it is not. You are not attractive. You look like a stay puff marshmallow went wrong. Like a, you know, it's not good. And I. But I still love it. Like, I can't imagine not working in this industry, right? Like, I can't imagine not being here. And the fact that I get to sit on podcasts like this and talk to people like you, it's just so much fun. Great time here. [00:33:11] Speaker A: Well, and there's so many, again, we mentioned it, but there's 17 critical infrastructures. And the reason that they've been categorized as critical is because they're critical to human condition as Americans in our country. And if any one of those go down, it is going to impact our lives, all of our lives, not just yours, not just mine, but everyone's. Like, if the power goes down, you can't pump gas, you don't get water. You don't like, everything tumbles down. [00:33:40] Speaker B: The hospital. Forget the hospital. Don't even bother. [00:33:43] Speaker A: So the reason these things are critical is because really smart people sat in a room and they said, hey, what are the things that if they go down, are going to impact society? Like the bigger society? So there's 17 of those. And I would argue, and I've worked in many of them, not all of them, but many of them, and I would say almost all of them, at least the ones that I've been in, are underfunded under. People don't understand the risk, including the asset owners, and they don't have the right people and processes. And unfortunately, cyber is not designed and engineered into the system, and it's an afterthought. And unfortunately, usually an afterthought after something bad happens. Like the example you just gave about the peanut. Right. They start looking at these systems when there's an attack, when there's a breakdown of physical or cyber incident, and then they have to, because the spotlight is on them and they're required to. And then everybody else, maybe hopefully around them that are similar, say, oh, it happened to them, it could happen to us. We should look at that, too, or there's regulation that comes down. So unfortunately, that's where we sit a lot of times in this industry is. And it's not because the companies are bad companies like, it's not. These are some of the best people I've ever worked with. They want to do the right thing, but they are strong to behind they can only do what makes them money. And unfortunately, cyber and all this stuff is not a revenue center. Like, we're not creating revenue value. My power plant's not more efficient. I don't create more wheat because I put in cybersecurity. It's more almost like an insurance policy. And nobody likes paying for insurance. Like, it's just like this. [00:35:21] Speaker B: It's. It's a return on investment, right? You've got to value your property, if you will, or your ip or whatever you want to call it. If you don't, then you're going to be running into this constant recovery mode that we're stuck in, like on repeat. We are on repeat in recovery mode. We need to get out of recovery mode and start focusing on being resilient because it's going to happen and there are cost effective ways to get around it. But again, it's not the sexy stuff, it's the people stuff. Right. And nobody wants to talk about people because people are hard. And maybe that's part of the reason why food and ag and even water kind of got left to the side is because people are hard. And that's part of it. Also, the people who came to the table first were oil and gas. [00:36:04] Speaker A: Sure. [00:36:05] Speaker B: I mean, they have a stronger lobby, let's be real. But most of the countries that are out there also have their critical infrastructure and food, and AG was put on theirs the first bit. So I don't, and we have so many examples. And I know, I know. I don't want to be heavy like nation state poo poo here, but here we are, we already have examples of how this is happening. If a country needs, if they want to destabilize a country, they will do that through electricity and food because they want you to freeze to death in the winter and I. And they want you to starve. It's basic warfare. Right? I think we all kind of picked that up in critical thinking in college, you know? And if we didn't, we picked it up along the way anyways. That scares me. Do we already have examples? Ukraine is a great one. I'm not a great one for a good reason, but it's a great example of this for happening. And it's so frustrating to me that we still haven't realized this. I have a good friend of mine who is an agricultural futurist. He's a strategist. He does focus on cybersecurity as well. And he, he asked me deadpan one day, have I ever starved? Or how was the longest I went without food. I'm like, I don't know, 48 hours maybe because of a flight situation or something like that. And he goes, you know, he's like, I tried an experiment for ten days, and I. He's like, I didn't make it that far. He goes, it made me realize, how many hours or days would it take you to commit a crime if you had to feed your family and there was no food? [00:37:40] Speaker A: Yeah. [00:37:40] Speaker B: And I thought, I don't know, probably some people make a couple hours. He goes, if he said the average is something like 8 hours. And I was like, that's chaos. That's chaos in the street, literally. And everybody would feel it the same way. I can't imagine specifically the United States being in that type of chaos with the amount of guns we have in this country, for example. I just think that that is, this would be, this would be apocalyptic, right? So the fact that we haven't completely focused dead on to how we're going to deal with the supply chain. Yikes. And also, we're growing so much food for animals, right, rather than human consumption. I'm not saying that's bad because we still have to feed animals. And it's sort of like, it still doesn't make sense to me that we're still feeding animals like soy and corn. I understand. Like, they don't normally eat that. And it's kind of weird to me. But we don't have the grazing ability for herds that we have to do that the normal. The normal natural way, I guess, right? So the fact that we have these monocultures that are killing the topsoil, and there's been some studies recently come out because I'm a total nerd for the environment, because I have a degree in environmental management. I love wastewater treatment facilities. I think they're the coolest things ever. But they're doing a study right now based on the wars that are going around the world. What's that doing to their topsoil as well and how that's going to impact the world on a global front? And I'm like, oh, yeah, now we've got that to worry about. Like, great. Like, what's next, locusts? Oh, I'm sure we've got that coming, too. [00:39:15] Speaker A: You know, careful what you asked for. [00:39:17] Speaker B: I'm not asking. I don't want it. I'm all set. If it's. [00:39:24] Speaker A: The one thing I'll say on that is you look back and we do have a couple of examples of that in America. And you go back to Katrina when we had the hurricane that came through in New Orleans and we saw martial law in two or three days and people that were committing crimes and going at gunpoint. And these are not bad people. These are everyday people like you and me that are desperate because their family is starving, their baby is starving. They don't have food, they don't have water, they don't have a way to evacuate. Like, there were basic needs in our country and that was with FEMA and with the National Guard and the amount of, you know, public services that we have. And it was one small area. Imagine that on a large scale. Imagine that across our country when we can't just, you know, rally the troops from all over their country to this one geographical area. Imagine if that was on the east coast in the center and on the west coast all at the same, same time. It would be, we wouldn't even recover as well as we did at Katrina. And we all agree that we didn't recover well then, like, it was really not our best time. [00:40:33] Speaker B: No, I mean, look how, look how the other disasters that have happened, whether it's a train accident or Flint, Michigan. [00:40:40] Speaker A: Yep. [00:40:40] Speaker B: They're still have fallout because priorities shift and we've got to spend money in other places or we, you know, we've got a conflicting opinions or something stupid like that. This is why it's so important for Ot to continually beat the drum of this is a problem. This is where it needs to be fixed. If you aren't willing to fix it, you now have to accept the risk this could potentially happen. And by the way, when I'm not going to turn around and tell you I told you so, I'm just going to give you a report. So, you know, like, and I'm here if you need me kind of thing like, that's it. It's all we can do. But the fact that we have to sit on this type of knowledge all the time and go to sleep at night gets a little frustrating sometimes. And, and this is why I think as a community in OT, we, the fact that we all support each other so well and kind of uplift and kind of have that, you know, therapy moment, if I even want to use that term when we're together, is so important because I have sat there and listened to tales and I know you have to. I've just stuff that's going on and obviously that we're being very respectful. We don't talk about where it's happening or what's going on, but to have someone tell me that story and then you could see the weight lift off of them. But now it's on you because you now know. But, like. But the fact that, like, we can come together as a community like that, I just wish the rest of the cyber community would do that. [00:42:06] Speaker A: Right? [00:42:07] Speaker B: Rally behind each other instead of just being jerks. It would be great. And I, like I said, I adore this community in general. And I love that we fit so well into the company, the companies and the places that we serve, because we're just as geeky as they are, what they do. And I, like I said, we all love to eat, so it should be a no brainer there. You know, I realize that all of us have different relationships with food based on your body and different things in your life, but we all do like to eat, and we identify with food from where we're from. [00:42:40] Speaker A: Yep. [00:42:41] Speaker B: It's part of a cultural experience. We celebrate with cake. We. We say goodbye with cake. Right. Cake is kind of the thing. We also have, you know, our favorite food memories. I talk about this on my podcast all the time. What's your favorite food and your favorite food memory? What is your favorite food and your favorite food memory? [00:42:58] Speaker A: I have so many because my family, I grew up in Texas, and a lot of our celebration, all of our celebrations are really around food. My grandmother making food, and, you know, whether it's fried chicken or whatever it is, I remember my grandfather having these big mounds. He was a very, very skinny person. Grew up very poor, but, you know, as an adult, like, he just loved to eat. So it was always just this big mound of. We had more food than we could ever eat in a lifetime. Every time we got together, it was always around food. And that's the. The irony of what you just said, right, is that food memory, we all have those food memories. Now, maybe the food that we bring is different because of where I grew up or where you grew up or what country you're from or whatever. But I think we all tie back to breaking bread together. Right? And some of the best relationships, you know, the best nights out wherever, you know, when I go out with my wife, the best meals that we've ever had, I think they would not be quite as good if they weren't with her. [00:43:57] Speaker B: I. [00:43:57] Speaker A: Right. It's the company that you're with. Yes, the food's great, but if you have great food and horrible companionship, all those things are linked together. So it's not going to be that great and memorable of a meal. But if you're with great, the people that you're with are amazing. The food can be mediocre, and it's going to be the most memorable time that you have. And you're going to be like, oh, yeah, we had this, and it was a really good burger or cake or whatever. The thing is, because you're there together, it's part of human nature that we have all of these things and that we tie all around the campfire and cooking and eating food together. It's. It's. It goes back to the beginning of time. [00:44:36] Speaker B: It's also identifier. Right? I mean, you say you're from Texas, so Tex Mex. We all kind of know what that is in this country, people who live in other countries, because I do have a lot of listeners around the world. You probably had some variation of it in your own country because sometimes other countries do it better than us. [00:44:50] Speaker A: Right. [00:44:52] Speaker B: You know, and I've had some of the best curry of my life in Japan. Not japanese curry, but indian curry, because they do it really well. You know, the UK has its own version of curry, whatever. But I think that it's interesting how much that blends, right? Because my fiance is british, we do curry on Friday nights as an example. And Curry wasn't something that I grew up with. I grew up in New England. We eat basic, boring food. No offense, if my mom's listening, I love you, but it's one of those things where I wasn't used to that, but now it's blended into my culture and my reality. Right. I love how food brings you together like that. Try something new, experience something different, but also have the nostalgia of things you remember. And I remember family cookouts, too. I mean, we did some weird things with salads and jello and I don't know what was going on. The eighties and the nineties were kind of complicated. Or with, like, mayonnaise and like. And, uh. Anyways. [00:45:47] Speaker A: And margarine. A lot of margarine. [00:45:49] Speaker B: Yeah. What was the cool whip? [00:45:52] Speaker A: Oh, yes. [00:45:55] Speaker B: Too much. Yes. But these are brand names that we remember, and they're still on the market. You can still get them and they're very clearly there. I mean, I don't know if I'd have it now, but, yeah, because I'm in a different state in my life. But no, it's fun for kids, you know? [00:46:08] Speaker A: But even today, like, my kid wins, you know, gets a trophy or whatever. We're celebrating with food. Like, let's get you ice cream. Let's celebrate with ice cream. Let's get you a cookie. Like all those types of things. And we try not to go too much because, you know, we don't want them to be unhealthy. But at the same time, it's fun, it's memorable. They enjoy it. Like, we. We get joy from this food and we take it for granted, especially in America, where we have unlimited amounts of food. If I want anything, I go to the grocery store and they have it. Like, anything I want. You like curry? You know, sushi. Like, you can literally go to your grocery store and get sushi. Is it the best? No, but it's pretty darn good, comparatively speaking. Think about 200 years ago, trying to get. Get sushi in the middle of the country. Like, it wouldn't have happened. [00:46:53] Speaker B: I mean, you could probably cut open a freshwater fish and try to see me yourself, but I don't know about that. But I think it's also changed my perspective on food when you have it in an authentic space. Like, I've had the privilege of going to Japan several times for work, and it. I can't eat sushi in the States anymore. It corrected for me. It's sort of like, I can't drink Guinness in the states. I really only wanted an Ireland or the UK. Like, certain things have changed, but then you wait for that moment and you have it, and you're like, yes. Like, and it becomes this whole awesome thing. And if I think about the fact that we have all these issues globally, some of this food that we love and we talk about may not be available to the next generation or the generation after that because we made bad choices, people, you know? [00:47:39] Speaker A: Yep. [00:47:40] Speaker B: And also the idea that a cyber attack threatened people's lives through food, I can't really think of anything even worse than that. [00:47:50] Speaker A: Right. [00:47:51] Speaker B: Honestly, because it's such an intimate attack. It's an intimate attack. It's not just like, oh, we're going after finances and da da da da. What? No, no, that's to destroy people like that. That keeps me up at night. Not every night, but there's some nights, like, oh, my God. Like, we're just like, a hairpin from. It sometimes scares me, and I don't. I don't want people to know that, because I do have professional and friends that have lost children to E. Coli poisoning and other different poisonings, and to. To tell a parent that their child is passing because of a burger that was contaminated, I mean, that makes me want to burn a house down. Like, that's not that I'm an arsonist because I'm a firefighter family. However, I will say, it does make me very angry, and my anger doesn't matter, right? Because at the end of the day, I can only do what I can do. [00:48:41] Speaker A: Right. [00:48:42] Speaker B: I want more people to understand that, especially in the OT space, we are doing things that safeguard lives on a whole other level than we expected to in our career. I certainly didn't think this was going to happen in my career. Someone was like, oh, you're putting a cape on every day, and, like a superhero. And I was like, I don't know if I want to go that far, but if it helps you with the visualization of what I do, that's fine, but I don't want to put myself on that level. This isn't a pedestal moment, because we are a team. Like, OT works as a team. We really believe that we are in supporting each other 100%. [00:49:16] Speaker A: Honestly, I think we should all put on the cape. Right. I think it's everybody's duty to do your part in whatever small way that is. Right. The people part of that is we all have a calling to do something, and each person's little contribution in stopping and saying things and raising your hand and not just, oh, well, he's smarter than me. He's been here longer than me. I'm not going to say anything. No, raise your hand. Voice that concern. Bring that thing up. Push that agenda or idea ahead, because it matters in the grand scheme of things. It takes us all to challenge. Evil prevails when good men do nothing. It's really that simple of, we have to stand up and say, no, that's not okay. Like, we have to stand up even when nobody else in the room is gonna agree with you. I don't care. Stand up and say it and be curious. [00:50:09] Speaker B: Start asking questions like, oh, really? Is that ot? Like, I want someone to actually ask me that. Like, oh, do you think that's ot? I'm like, yeah, let's connect to the Internet. And I want that question. Be curious to the point of annoyance. We don't mind. We really don't. And we want you to ask questions. And we also want to ask questions. That's what we do. Because we are constantly evaluating everything. It was funny when Crowdstrike hit, as an example. First of all, my heart went out to anybody with it, obviously, but it didn't surprise neither myself or my fiance, because both of us are in security. So in OT specifically, and it was just one of those, like, you know, like, this is not good. However, hopefully, it's a lesson learned moment where you can't just have one thing holding the pillar up out of all of it. You need to actually have a better look at it. And I hope that the people that were affected are taking a long, hungered look of what they have in their environment. Now, what else could be critical and concerning? Right? [00:51:10] Speaker A: Yep. And my biggest concern with the whole crowdstrike issue is that I think from what I've seen, I think a lot, and from my experience, a lot of these folks are going to be pointing the finger at Crowdstrike as a company and looking at, hey, this is what you did wrong. And I'm not saying there is no blame because in this, it's just like, you know, anything, there's blame. There's plenty of blame to go around, but that's not going to solve anything. At the end of the day, yes, there was a misconfiguration. They pushed out something. But ultimately the bigger problem was, is that these companies just randomly pushed it across their entire organization without testing, like in an OT environment, especially in a power plant environment or any of these critical infrastructure. I would never just blind, I don't care if it's been tested 50 times before. I'm going to push it to one system, make sure that it comes back up, and then I'll push it to a second one and make sure that one comes back up and then I'll push it to a third one. It's a pain in the butt and it takes longer. [00:52:06] Speaker B: Yeah. [00:52:06] Speaker A: But it's what I'm going to do because I've seen the bad side of this for the past 20 years. This is not the first time I've gotten a blue screen because of an update. So I'm not going to get burned by that again. And we've got either it won't. And it's not Crowdstrike's fault. Like, yes, this incident, it was caused by crowdstrike, but it's not the bigger picture of the root cause analysis. If I did a root cause analysis on this, the issue, yes, that was the trigger, but that is not the root cause of the problem that caused this bigger issue. [00:52:35] Speaker B: It's people in process. [00:52:37] Speaker A: Exactly. [00:52:39] Speaker B: And actually, when, when the event happened, I messaged a good friend of mine. My best friend actually works in a cheese company in Wisconsin. Insert laughter but I asked, I said, I know you guys have crowdstrike. Like, are you guys all right? And he goes, well, actually, we happened overnight. We were able to pull some backup systems and we're able to roll it back so it didn't affect our production it just affected, like, a sanitation shift. And I was like, oh, thank God. Like, you know, I was really. And I was checking on other friends just to make sure they were okay kind of thing. And thankfully, the food industry was okay, which is good from the small sampling I did in my life. But I was glad to hear that they focused on resilience more than recovery. And I was like, yes, like, we're getting there slowly. I don't care if it was five people I knew, but it was good. But as ot professionals, I can't even tell you when you read an article or have a conversation with somebody and they're like, oh, yeah, it's about legacy systems that aren't patched. Is it? I mean, I. There are systems inside some of these factories that I've worked in. I know you've seen this, too, that are probably like 40 years old, probably running 98, 2nd edition. Rocking it, right? 98, 2nd edition is a solid operating system. If it's still up. I'm sorry. [00:53:55] Speaker A: Yeah. [00:53:56] Speaker B: We all know you don't touch the dust. You don't touch anything on it, because it's probably holding it up by a threat, which isn't good because you don't want that either. But there's ways around dealing with that that you don't have to upgrade. Because upgrading a system like that is probably running one process that comes up once a quarter. It's going to be millions of dollars. [00:54:13] Speaker A: Yep. [00:54:14] Speaker B: Probably entire budget for a year for a company. Right? [00:54:16] Speaker A: Yeah. [00:54:17] Speaker B: The trick is it's just making sure that you segment it and you know it exists and making sure you watch it. Like, just watch it. It doesn't have to be anything more than that. It doesn't to be the big fancy everything around it and all these bells and whistles. I mean, if you could afford all that, that's cool, but do you need all that? Somebody once said on a podcast of mine, not that long back, do you actually need that tech? Are you okay without that tech, specifically talking about farming? And I was like, that's a really great question, because you actually need it. If everything's working okay and you're okay and everything else around it is okay, why do you need to bring that in? Is it? And I. And he goes, isn't that just another risk attack vector? And I was like, this is a brilliant conversation. I love this because it's true. That's how I think about it. In a lot of these industrial environments. Do you actually need that? Do you need to be able to sit on your couch at night and monitor the temperature of your vat. I mean, if you do, tell me that's fine, but do you really need it? Because you have a 24 hours, 24 by seven plant. Do you personally, do you need. Why do you need it? Are you going on vacation? You shouldn't be looking on that. On vacation anyways. Like, what is this? If it's got a practical reuse, that's brilliant, and we'll do it. But if it's anything crazy, let's rethink it. I think we need to have that conversation more in the industry, especially in food, where, because we automate, we add all these really cool things. We do all this stuff and it's awesome. And now we have, like, chick fil a mobile delivery units in Georgia. I don't know if you see it in the. They're kind of creepy. It's literally like a little bike that drives up to your house and it's all automated and it's insane. [00:56:01] Speaker A: Wow. [00:56:01] Speaker B: And I'm just like, I don't know. I don't know if we've gone too far. Yeah, like, maybe we need to roll that back. [00:56:09] Speaker A: Well, I'll give, I'll give a last story here. And it's very similar to that. You know, working in these places, operators have, we do what's called operator rounds, where they walk around with some kind of handheld. It could be a piece of paper, whatever. In this particular area, it was a, it was a power plant. And they were. That we had RFID tags on equipment, so they would, the operator would walk up and they would scan the RFID tag and it would pull up the operator round portion and it would be a valve or a gauge or something, and they would put in readings, you know, temperature, pressure, you know, vibration. They put hands on it. They talk about if there's anything, any oil leaking or if it's dirty or whatever the thing is for that. And it could be, you know, ten steps long or it could be a hundred steps and it could take them all around the facility. And we started noticing as we were doing reviews of the operator round and the data, the data didn't make sense. And we were trying to get better information to do tuning and all that kind of stuff. And it just didn't make sense. And sometimes the numbers were like, way off. Like, temperature would be 9 million. Like, yeah, I don't think so. So is that an error? Is that an operator error? Are they entering it wrong? Is a key sticking? Like, what is going on there? So as I'm walking it and I'm doing this. And so I've got this guy, and we're doing around, and we're walking, and he's scanning, and we're going through it, and, and everything looks fine. And then at lunchtime, we go in the break room where all the operators hang out, and they're in there playing dominoes. And as they're playing dominoes, one of the guys, he's like, oh, hang on. And he leans back in his chair, and right behind him, he's got, he's got the handheld in his hand, and he leans back in his chair, and he scans an RFID tag that's sitting on the wall. [00:57:49] Speaker B: I. [00:57:50] Speaker A: And he does something on his thing, and he goes back to playing Domino's. And I was like, what? What did you just do? He's like, oh, man, I got to do a round right now. But I'm in the middle of the game. I'm like, okay, what, you just scan? He goes, oh, I made a copy of all the RFID tags are out in the field, and I just scan them right here, and I can do it right here from launch room. So they had gone out of their way, gotten blank RFID tags, went through all the rounds, and duplicated every RFID tag. And he knew how long it took him to get from one to the next, and he was just randomly scanning them and putting in fake data. [00:58:23] Speaker B: Oh. [00:58:27] Speaker A: I mean, so, so it goes back to your point of sometimes you don't need the RFID tag and the fancy thing to make it more efficient and know exactly when they're scanning. Sometimes you just need somebody to watch over and say, hey, that's not a good idea. And those things had been there for a long time, and nobody noticed. Nobody saw, saw somebody. It took me five minutes. Like, I was in there for half a day, and I saw him scanning in the lunchroom, and it was very obvious, but nobody ever checked. And it's not. The guy was a bad guy. He was just, everybody else had done it. He thought it was okay. He didn't understand, and it really came back to a people problem. And it wasn't that this was a bad person. He didn't understand the value of the round. So when we started digging into it, it was like, dude, we've been putting fraudulent data in here forever because the system is broken and nobody says anything. So obviously you guys are not getting value from this. So it's a waste of our time. And that's really what it came down to, is they thought it was a waste of time. So why am I going to go walk out there for something you're not looking at anyways? I'm going to stay here and play my dominoes. And he wasn't wrong. And we were trying to fix the problem, and the ultimate problem was explaining and fixing it so that we were looking at the value instead of just having them do medial tasks to make sure they weren't being lazy, which is what originally, I think, the thing was put in for. And it completely broke it, and it blew it up. And we changed the policy all throughout the company because of that one incident that we found, and he didn't get in trouble. In fact, I thanked him for letting me see it, and I asked for his help to help me build a better process that they would be part of and want to make it better. [01:00:09] Speaker B: See, this is why you got to go back and talk to the people, because they'll find the exploits for you, you know, and they'll tell you, and he didn't do anything inherently wrong. No, it just. It seems a little shady. Of course, when you describe it, you're like, oh, my goodness. But. But at the same time, like, first of all, good on them for exploiting a system. Like, for that would. Was causing a problem for them. But like I always say, if you put a control, and no matter what it is, if it's affecting their production level or interferes with their safety, they work around it. [01:00:44] Speaker A: Yep. [01:00:45] Speaker B: I've seen it too many times. And also, if you don't work with the environment you're in, it's never going to work. Well, I remember I didn't. Something I learned on the job. Did you know that Wi Fi signal does not go through bags of flour? [01:01:00] Speaker A: Makes sense. [01:01:01] Speaker B: Yeah, it does. But I'd never made the connection because I never dealt with it before. And I found a maintenance manager who had no cybersecurity background, or it background on a scissor lift moving an access point because they couldn't get signal to pick the orders on their little forklifts. So he was up there, and I just happened to be in the factory that day, walking to the floor to get to the production area, and I caught him, and we had a fight right on the floor. Not physically, just, you know, verbalcation of, you're an idiot, you're an idiot kind of thing, and back and forth. And then my response was, why didn't you do a heat map scan for the Wi Fi when you had a full warehouse? And he goes, because we're busy. And I was like, okay, then you need, there needs to be some give and take here. Let's have a conversation. I got somebody in to do it right after and we're able to kind of like readjust a little bit, but. Oh, man. Like, exactly. People are gonna do whatever they have to do to get, either play Domino's or get orders. [01:01:55] Speaker A: Paydeh exactly. Exactly. So we've been at this for about an hour. I know that we both have a lot going on. Why don't you tell us where, I know you mentioned you've got some speaking engagements coming up. Why don't you tell the audience how to hear from you, where they can find you and maybe, maybe see you live in person doing some conversations around this fun stuff. [01:02:16] Speaker B: Sure. I am easy to find on LinkedIn because I have a very long last name, so good luck with that. And obviously, I have a website for bytes and bytes, so you can find me there. My, both my companies have websites. I'll make sure it's in the show notes for everybody as well, so I don't have to read it all out. But I am speaking at the food Safety consortium that's going to be in Washington, DC. The dates are stand by because I don't memorize everything in my life. They are going to be on the 21st. 1st I'll be speaking, and then I have to haul my butt down to Atlanta because I have two speaking engagements in Atlanta for ICS conference in Atlanta this year. I'm very excited about that. I'm actually talking about agriculture as a forgotten critical infrastructure. So you can continue this conversation with me there. I'm also speaking with another CEO from excellence, which is a cyber physical company out of the UK. And we're going to be talking about the food industry and why you need to care about cyberez physical. So that should be really fun, too. And then I am speaking at, in cyber in Montreal doing a round table type, I guess, fireside chat, not panel. It's gonna look like a panel, but it's not a panel about why agriculture is important and the work that bio ISAC is doing. And also, I'm going to have a food safety expert that's going to be there. He's also part of the Emmy nominated documentary poisoned on Netflix. If you feel like watching that. It's an excellent documentary. So that should be an amazing conversation, too. At the end of October. I think I'm speaking some other places, too. But to be honest with you, I can't remember right now because, God, there's so many of them, but they're obscure, so they're not necessarily ot. I bring ot wherever I go, though, so I hope that people know that that's what I'll be talking about. But, yeah, I am very excited about the fall. Autumn. Sorry for the UK listeners, autumn, I. Because God knows we can't say fall, right? [01:04:13] Speaker A: Well, that's great. There's a lot of opportunity. There's. There's so many fun places to go and learn and grow, you know, not everybody can go to black hat and Defcon. Not everybody should go to black hat and Defcon. RSA s four. Like, there's just so many great conferences. I'm actually going to a new one in Savannah, Georgia, called resetcon that's focused on ics. And. And it's. It's the first year it's going. Super excited to be there. Happens to be my wife's birthday weekend, so taking her so that, you know, she can. She can enjoy Savannah while I do some. Some nerdy, you know, geek squad type stuff. But yeah, that. Always doing stuff with the ICS village, any place they're at, I'm usually there in a volunteer mode having conversations like this. I love having conversations with people, no matter what their experience level. If you're a student or, you know, you've been doing this for 30 years, there's always something to learn and great conversations to have. And that's why you and I do this. Like, we want to spread this knowledge, not pretend that we know it all. We never. I never claim it. I've never heard you claim it, like, nope. We just enjoy having these conversations and using our experience for good to, you know, to hopefully make a difference and leave the space in a better place than where we started out. [01:05:26] Speaker B: That's right. That's exactly what it is. Absolutely. And I'm hoping that I've heard a little rumor on the wingest that hopefully there's going to be a b sides ics being built. So I'm excited for that, wherever that is and whatever it is. So, because we'd be great, we deserve our own B sides, you know? [01:05:44] Speaker A: Absolutely. Absolutely. I'm down. Let's do it. [01:05:48] Speaker B: Yeah, that's right. I'll let. I'll let the organizer know that there's support coming out of the airwaves now. [01:05:54] Speaker A: Absolutely. For sure. We'll broadcast it everywhere. Well, thank you for your time today. I really appreciate it. It was a great conversation. I'm sure I will see you. I think I'll be at ics in Atlanta. I'm not exactly sure as you kind of like what you said, like, my schedule is all over the place, depending on where I'm going to be. But that is definitely one that I usually try to get to. [01:06:13] Speaker B: Yeah, it's a little bit closer. For some of us on the east coast, it's difficult getting across the country. I know people in other parts of the world are like, well, imagine if you're traveling 12 hours. Yeah. It does feel like that, though. By the time we get over there. [01:06:27] Speaker A: For sure, things are changing everything. Exactly. Well, thanks again. It was a great conversation. I really appreciate it. Thanks for joining us on protect it all, where we explore the crossroads of it and Ot cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field until next.
Previous Episode
Next Episode

Other Episodes

Episode 28

October 21, 2024 01:10:02
Episode Cover

Elevating Cybersecurity: Importance of Relationships, Mentorship, and Honest Feedback with Ken Foster

This episode delves into the world of cybersecurity with the esteemed guest, Ken Foster. With over 30 years of experience and a career that...

Listen

Episode 14

July 01, 2024 00:27:41
Episode Cover

Episode 14 - Practical Approaches to OT Cybersecurity in Critical Infrastructure

In this episode, our host, Aaron Crow, explores the intriguing world of OT cybersecurity products.   This episode explores the key differences between IT and...

Listen

Episode 8

April 04, 2024 01:07:45
Episode Cover

Securing Our Future: The Cyber Challenge in Aging Infrastructure

Summary The conversation covers the challenges and risks associated with aging infrastructure, particularly in critical sectors such as power generation and water treatment. The...

Listen