Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Play next
Cybersecurity for the Food Supply Chain image

Cybersecurity for the Food Supply Chain

S3 E15 · Bare Knuckles and Brass Tacks
Avatar
154 Plays1 month ago

Kristin Demoranville joins the show this week to talk securing the food supply chain as critical infrastructure, incidents’ effect on the global economy, representation in ICS/OT, and more!

George K and George A talk to Kristin about:

  • Dispelling misconceptions about OT security
  • The food industry as critical infrastructure
  • The need for more diverse voices in OT/ICS security to drive innovation and better solutions
  • How to break into OT security

Plus some raw honesty about being a woman founder in the space and building community despite the challenges.

———

👊⚡️BECOME A SHOW SUPPORTER

https://ko-fi.com/bareknucklesbrasstacks

For as little as $1 a month, you can support the show and get exclusive member benefits, or send a one-time gift!

Your contribution covers our hosting fees, helps us make cool events and swag, and it lets us know that what we're doing is of value to you.

We appreciate you!

Recommended
From Help Desk to Detection Engineering, and Finding Your Path in Cyber image
From Help Desk to Detection Engineering, and Finding Your Path in Cyber
S3 E28 · Bare Knuckles and Brass Tacks
00:32:04·6 days ago
Authentic Networking and Using Your Voice image
Authentic Networking and Using Your Voice
S3 E27 · Bare Knuckles and Brass Tacks
00:37:58·13 days ago
Breaking into Cyber, Finding Your Why, and Making the Entrepreneurial Leap image
Breaking into Cyber, Finding Your Why, and Making the Entrepreneurial Leap
S3 E26 · Bare Knuckles and Brass Tacks
00:29:28·20 days ago
GRC Engineering: The Manifesto and Beyond! image
GRC Engineering: The Manifesto and Beyond!
S3 E25 · Bare Knuckles and Brass Tacks
00:59:39·27 days ago
Career Pivots and Forging Your Own Cyber Journey with Stacey Lokey-Day image
Career Pivots and Forging Your Own Cyber Journey with Stacey Lokey-Day
S3 E23 · Bare Knuckles and Brass Tacks
00:45:25·1 month ago
LIVE from Cyber Marketing Con: What “Community” Really Means for Both Practitioners & Vendors image
LIVE from Cyber Marketing Con: What “Community” Really Means for Both Practitioners & Vendors
S3 E22 · Bare Knuckles and Brass Tacks
00:31:58·1 month ago
Happy New Year from BKBT! image
Happy New Year from BKBT!
S3 E21 · Bare Knuckles and Brass Tacks
00:03:08·1 month ago
Happy Holidays from BKBT! image
Happy Holidays from BKBT!
S3 E20 · Bare Knuckles and Brass Tacks
00:02:32·2 months ago
Best Of: Don Jeter, Lauren Palmer, Andrew Owlett, and Michelle Eggers! image
Best Of: Don Jeter, Lauren Palmer, Andrew Owlett, and Michelle Eggers!
S3 E19 · Bare Knuckles and Brass Tacks
00:40:00·2 months ago
How to Get a CISO’s Team on Board and Cultivating Community with Cecil the CISO! image
How to Get a CISO’s Team on Board and Cultivating Community with Cecil the CISO!
S3 E18 · Bare Knuckles and Brass Tacks
00:42:36·2 months ago
Do It Scared! The Journey from Pentesting Novice to Conference Speaker with Michelle Eggers image
Do It Scared! The Journey from Pentesting Novice to Conference Speaker with Michelle Eggers
S3 E17 · Bare Knuckles and Brass Tacks
00:37:51·2 months ago
Duty, Burnout, and Redefining Security Team as Digital First Responders with JR Cunningham image
Duty, Burnout, and Redefining Security Team as Digital First Responders with JR Cunningham
S3 E16 · Bare Knuckles and Brass Tacks
00:39:52·2 months ago
From 1.6 GPA to Global Cyber Leader, How to Tell the Story of Your Skills with Andrew Owlett image
From 1.6 GPA to Global Cyber Leader, How to Tell the Story of Your Skills with Andrew Owlett
S3 E15 · Bare Knuckles and Brass Tacks
00:40:24·3 months ago
Veterans Day Panel: Cyber Journeys, Skills Transition, and Lessons Learned image
Veterans Day Panel: Cyber Journeys, Skills Transition, and Lessons Learned
S3 E13 · Bare Knuckles and Brass Tacks
01:00:32·3 months ago
Cyber Workforce Development & Cybercriminal Psychology with Andréanne Bergeron, PhD image
Cyber Workforce Development & Cybercriminal Psychology with Andréanne Bergeron, PhD
S3 E13 · Bare Knuckles and Brass Tacks
00:23:05·3 months ago
Truly Understanding Your Customer to Get Product-Market Fit with CEO & Co-Founder Ofer Klein image
Truly Understanding Your Customer to Get Product-Market Fit with CEO & Co-Founder Ofer Klein
S3 E12 · Bare Knuckles and Brass Tacks
00:33:28·3 months ago
Episode 100! AMA with the George and Guest Host Amber DeVilbiss image
Episode 100! AMA with the George and Guest Host Amber DeVilbiss
S3 E11 · Bare Knuckles and Brass Tacks
01:03:06·3 months ago
Redefining Sales as a “Giving Profession” to be Proud of with Lauren Palmer image
Redefining Sales as a “Giving Profession” to be Proud of with Lauren Palmer
S3 E10 · Bare Knuckles and Brass Tacks
00:40:55·4 months ago
LIVE from SecureWorld Denver: Radical Transparency - Closing Keynote image
LIVE from SecureWorld Denver: Radical Transparency - Closing Keynote
S3 E9 · Bare Knuckles and Brass Tacks
00:47:14·4 months ago
The Importance of Soft Skills in Cybersecurity and Business with Evgeniy Kharam image
The Importance of Soft Skills in Cybersecurity and Business with Evgeniy Kharam
S3 · Bare Knuckles and Brass Tacks
00:29:58·4 months ago
Transcript

Understanding Food Safety in Cybersecurity

00:00:00
Speaker
you need to understand your business and your industry. So specifically in food, you need to understand that if you're in a food company, you kind of need to care about food safety as a cybersecurity professional because if your food is poisonous or poisoned or fraud, you're going to know about it and you probably aren't gonna have a job for much longer anyways, company will fold.

Introduction to Kristin DeMaranville and Her Role

00:00:22
Speaker
So you need to understand that your processes and the people and the people you interact with need to be part of your strategy
00:00:50
Speaker
And today our guest is Kristin DeMaranville, founder and CEO at Anson OT.

Challenges in OT Cybersecurity: A Discussion

00:00:57
Speaker
Food security, maestro, specialist, just wealth of knowledge when it comes to protecting all the cyber elements of the food supply chain, which we have not covered before. um But that gets us into the ICSOT territory. And this was a fascinating conversation. Everything from ransomware attacks on suppliers to You know, how do we get a better representation on the conference circuit in this particular discipline for cyber? Yeah, I really enjoy talking to Kristen. I mean, it's clear her expertise in the OT space. And, you know, we have really not had a lot of episodes focusing on this particularly, but it's it's really big.

Kristen's Journey as a Woman in OT Cybersecurity

00:01:39
Speaker
I think, you know, I thought about this in 2019, even that
00:01:43
Speaker
with but the the the convergence of a lot of these physical systems and internet of things now becoming so rapid, right? What are we going to do about this OT problem? And so Kristen's just taken the bull by the horns and she's wrestling it down. And she is articulated in this episode, some of the challenges she faces with her clients, some of the challenges she sees at a whole of industry

Significance of the OT Space

00:02:07
Speaker
level. And of course,
00:02:09
Speaker
dealing with some of the pushback she gets just being a young woman founder in an extremely niche and technical space. Yeah, it's it gets crazy, guys. It's all from ah protecting carrots and beef supply and GDP and all of it. So without further ado, we'll turn it over to Kristin Demiranville. Kristin Demiranville, welcome to the show. Woo! I'm finally here.
00:02:37
Speaker
That's right. We have been talking about it for a while. I have had the privilege of coming on your show, so we're very happy to return the favor. um You are CEO and founder, which means you are on the vendor side, which by bare knuckles and brass tacks rules means the CISO gets first crack. So turn it over to you, George. Well, hello. Hello. Welcome to the ah so We'll go on this like right hot and heavy. um Oh, good. so Not many founders choose to get into the OT space, especially of late. like I was just like, wait, she's a founder that doesn't just talk about AI bullshit?
00:03:15
Speaker
You exist? um So you have a copy that specializes in compliance, risk analysis, and training, specifically on operational technologies. A couple of questions. Why did you choose OT? And without naming them, talk about some of the problem statements that you're seeing from some of your clients in this space. Those are good questions, actually. I wish more people asked those kind of questions. So OT and me,
00:03:44
Speaker
met years ago. so It was kind of an accident. I crash landed and fell into it really. I

Public Misconceptions and Global Impact of Automation

00:03:52
Speaker
was an IT person doing OT work and not realizing it because at the time we didn't have OT in the company I was working for. It was just rolled in. so This whole IT OT convergence shit that we hear all the time, I actually don't understand that at all because it was part of my day. you know You're like, we started together. Why did we ever go apart?
00:04:12
Speaker
And that's exactly how I felt. And also we knew that the lines needed to keep running. People needed to be safe and the food needed to be safe. So we didn't care about who was doing what and what was going on. There was no division there for us. I realize in larger companies, they're silos. I'm a disruptor, so I guess maybe that's probably why I never noticed it.
00:04:29
Speaker
The reason why I stayed enrolled as a founder into an OT company is because I love OT. I love the mission of operational technology, industrial control, security, because it's not just about protecting data, it's about safeguarding lives. So it gives me a different sense of purpose, and I love the community i I'm in. I have to say I'm one of the only women.
00:04:51
Speaker
There's not many of us. So we'll get to that not only. I'm not only a founder, but also a female founder, and an OT company, which is like even weirder. Right. And I niche down. So I niche into food and agriculture. So that's even more strange because nobody's paying attention

Holistic Approach to Cybersecurity Incidents

00:05:06
Speaker
to that either. So this is a very strange world that I am now entered into, which I'm here for. It's all about the weird, as I've discovered. That's the theme of 2025 already. It's all about the weird. thousand um So in terms of problem statements, George, a lot of times people just go, well, do we need to worry about that? Or why do we need to worry about that? Or what does this have to do with me if it's a security person? Because a lot of times OT doesn't necessarily fit underneath a CISOs remit. It's usually in an engineering side or something to the the facility side.
00:05:46
Speaker
But it is going to the CISO now. So the CISO doesn't just start caring, because you don't want to be the CISO that has to call up anyone and say, oh, hey, we've got this hack that's probably going to kill some people, literally, or questionable food safety or any of that.

Scarcity of OT Security Professionals

00:06:04
Speaker
That's what I worry about. There has to be a delineation, I think, between the role of CSO and CSO because CSO is is more comprehensive and has that physical security element to it or a lot of organizations. And I think it's a bigger conversation than this episode. They still don't know really how to place the CSO. Like there's like three classes of CSO, like exact CSO, tactical CSO, strat CSO, or sorry, operational. So I think.
00:06:30
Speaker
I think we need to look at security holistically, and I played in that space. like I was a consultant at a company that ran Security Division, and I was helping build a quote-unquote converged security space to offer up OT ah service and advice, and I actually got to help um work on like a ah was it ah ah hybrid SOC that actually dealt with both.
00:06:53
Speaker
this is not you know, reinventing the wheel. To me, it like just like you, it seemed all logical. Yeah, it's physical security, but they're all using digital systems. But I think from a leadership standpoint, do you not think then that industry is just not the the people who are making organizations still don't understand the problem enough to be able to correctly classify and assign personnel? Because I think it falls into a gap in a lot of places.
00:07:21
Speaker
Yeah, I would agree with that. I think that's a good assessment.

IT and OT Cybersecurity Intersections

00:07:24
Speaker
I do think that cyber physical is a very strange concept of people because you can push a button, but yet you can also sit on your couch and push a button. I don't understand why that's so difficult considering we have smart lights that I was just messing with before the show started. um But I think you're right about that, that there is this gap of knowledge And that is very true in the industry anyways. It is very hard to hire an OT security professional. There's not many of us. and A lot of us don't have industry experience, or if we do have industry experience, it's very specific. And that's hard to get in because you get very niche as well. But that that gap with leadership, even on the board level too, George, honestly, I'll say.
00:08:11
Speaker
there's just not enough understanding of what it means to have an incident in that space and what it means and what's going to happen in the organization. Because nobody's really quantified it really well. And a lot of the issues that happen are happening through IT t systems that affect OT systems. So it's still an IT cybersecurity incident, but it's affecting OT. So people are like, well, isn't that just a cybersecurity incident?
00:08:33
Speaker
And it's it's more than that because like you said, it has to be a holistic space. It's just systems thinking. That's really ultimately what it is. Something happens over here at stage one and something happens over here at stage 11 and the whole system screwed up. And that's what I'm finding more and more is how do you explain that to people who are silo thinkers and not spherical thinkers? And that becomes daunting, very daunting.
00:08:58
Speaker
Yeah, that makes sense. And that actually leads into the next question. So I'm going to ask it two levels, because this is the first time that we have tackled ICSOT. That's not true, but it at this level, especially with food security, which just touches everybody, right? Yep. So I'm going to ask it two levels. I'm going to ask it sort of a lay audience, because we actually do have civilian listeners, which is great, and also cybersecurity.
00:09:24
Speaker
This is the airing of grievances. You're familiar with the format of the show. ah What does the public not get about cybersecurity and the food supply chain? Like if you had to distill that, I think you've touched at the executive business leader level, the fragmentation of thought. But like, if you're talking to somebody on the street, like, how are you translating this to them?
00:09:48
Speaker
that their food is all automated, that everything in the food industry on some level at some point and was touched by automation, an OT ICS system before it hit your plate.
00:10:01
Speaker
I think people think that humans still milk cows in large mass production. correct I think that they think that every egg is handled, every chicken is handled. it is not it It has to be a larger system for the amount of food that we need to feed the world. I also remind people, and it seems to blow their mind, of how It's a global food system. It's not just a country food system. The country's food system is important, especially if we're sharing continent space,

Ransomware and Global Food Supply

00:10:34
Speaker
but it's a global food system. So if Russia invading Ukraine, that threw off the grain market, that put pressure onto other farmers in
00:10:45
Speaker
Netherlands, which puts pressure onto other places in Europe, the US and Canada, because they can't they won't they have to increase their yields to produce. That puts strain on the environment, transportation, global supply chain. And then when you start to go down this rabbit hole with people, they literally either glaze over or freak out. Why don't they tell me to stop talking?
00:11:05
Speaker
I'm not trying to freak people out. I think like the most salient example was the ransomware attack that ah but hit ah JBS, the large beef supplier, which is headquartered in Brazil, but affected you know production for fast food restaurants in the U.S.
00:11:24
Speaker
It actually caused a shortage of beef in Australia and New Zealand. They'd have to eat the grocery store. It was actually that bad. And if you start digging digging into how much money you make in different sectors in different countries, New Zealand and Australia, the large amount of their economy is based on their agriculture. So you could imagine if they got hit with anything and it disrupted in any regard, that's going to affect that nation heavily. It's kind of like the example of the, I know this isn't a cyber event, so everybody just kind of hear it out for a second. When the GPS got knocked out by the solar flares that happened this year,
00:12:01
Speaker
and both in Canada and parts of north um'm parts of the US, s the northern United States, like the Minnesota area, they couldn't use GPS, which means they couldn't do precision farming. And precision farming is very important for yields and production of the largest amount of food you could possibly get out of a crop in a season.
00:12:19
Speaker
So they weren't able to harvest on time. They had to like remote back to like analog, you know, analog tractors. They couldn't do GPS, which plants it within like a millimeter of that other plant that keeps it to the proper crop and all these things. Yeah. Just just for yeah the audience edification.
00:12:38
Speaker
The tractors are tethered to the GPS grid, and they drive along the coordinates. So if you can't communicate with the satellite, you're relying on good old-fashioned humans driving in rows, which is light which is just enough of a percentage off to rapidly decrease the amount of yield coming off. Which is a huge problem. And time out, while we mentioned tractors and OT security, I have to give a shout out to a friend of the show, Casey Ellis, his CEO bug crowd. AKA sick codes. Sick codes. Who actually was the guy that broke into John Deere's entire corporate infrastructure by breaking

Critical Sector Recognition and Industry Valuation

00:13:14
Speaker
into a tracker digital or a tractor digitally. So shout out to OT security. so I think if so farmers are listening, they just freaked out, by the way. You just scared every farmer. Oh, um so Great. so We've covered kind of like what the average person on the street is not considering when it comes to food security.
00:13:34
Speaker
What is the cybersecurity industry? Because I also think as an industry, we're not sort of like clued in on this, except for a handful of folks who are very focused and very vocal about it, KCL as being one of them, yourself being another. What is the industry itself not understanding about that food supply chain?
00:13:56
Speaker
I think the thing that I always go back to and I get frustrated with, and I'm just going to pick on the US for a second because it's easier. um We didn't add food and agriculture to the critical sectors until 2020. Just let that s sink in for a second. I'm not picking on CISA. I'm not doing any of that, but what the hell is what I come back to? but like I do need gas in my car, but I also need food in my stomach.
00:14:22
Speaker
However, half of your gas is probably made out of soy. yeah So there's another this is why we need the food industry too. But I think what people don't understand is we need to protect it. I know that sounds really silly to some people because, oh, water is more important. Oil and gas is more important. Energy is more important. transport I don't care. It's all important. It's all critical. okay right Everything has claim of importance.
00:14:47
Speaker
But to constantly put food and ag and water at the kiddie table all the time in terms of funding, knowledge, expertise, anybody that's helping is really frustrating to me. I'm always the weirder one in the room when I talk about it. And then people are like, oh, well, we're not going to do anything about it until it's regulated. Great.
00:15:07
Speaker
and What am I supposed to say to that? That's great. I now know where you stand. Did you eat before you talked? to Maybe you need to eat because you have a bad attitude, you know, one of those things. But I think people get so caught up in the emotions of food because it triggers so many things, you know, your cultural, religious. yeah we celebrate, we say goodbye, all the things, right? So it becomes this really intimate piece. So I think people get a little nervous about it, how to protect it. And the the people in the food industry who are doing this work ah for food safety, food defense, and food security
00:15:42
Speaker
just blanket and call a food protection They're just as passionate as any other cybersecurity professional I've ever seen. They care about their in incidents. They care about their risk assessments. They care about what's going on. They're definitely into insider threats. They understand all of it. They're sharing the same burden we are, but the fact that we haven't tapped into that knowledge set to understand it on an industry level, that pisses me off from a security perspective, where we've got this resource that's already looking at it in a different way, but it would be really helpful for us so we could actually create better strategy around how we handle it. That annoys me that we're not working with our divisions, if you will.
00:16:19
Speaker
Yeah, I wonder if it is as basic as, again, like you said at the beginning, like humans think food, they think plant in the ground and not connected technology, data flowing through a network. Anyway, there's that. I will also say when I hung out with your food protection buddies,
00:16:38
Speaker
earlier this year or late last year and found out that they hold like 18 months worth of food in their basement. I got really worried really fast. Yeah, that's not everybody though. so just Just hear that. That's just a few people. All right. Well, ah back over to you, George. Yeah. um got but what's What's the term for that again? For those people who are paranoid at the world's- Preppers. Preppers. Yeah. The survivalist preppers.
00:17:07
Speaker
Sweet. Shout out to the preppers. um Yeah.

Gender Biases in Security Roles

00:17:10
Speaker
Also who just like on that topic of society undervaluing certain critical roles, I think of it as the same thing as like teaching like my sister is a principal of a high school up here and.
00:17:22
Speaker
you know, they are for the stress and the complexity that they deal with. And it's only gotten worse in the last five, 10 years, especially post COVID. Teachers are grossly underpaid, underappreciated. Parents just love beating them up. And then it's like, yeah, the parent doesn't put any time into parenting and the kid fails. They've been teachers that the teacher actually tries to put in discipline they blame the teacher. And I'm like, I feel like security, especially in the OT space kind of deals with this. Like it's always your fault.
00:17:54
Speaker
um and there's There's a bigger extension that gets to a question. I i can see your eyes rolling. I get it. But I'm fine. I'm always a troublemaker. Don't worry, George.
00:18:05
Speaker
Alan Voder, do you experience any pushback or hesitance for your expertise, knowing how niche your space is? For your expertise or your services because you're a younger woman founder in this space?
00:18:20
Speaker
Yes, but I had that before I became a founder. So I've always had that as a woman in security. I will um ah tell you a quick story and granted, yes, this is a cultural story. So take this with a grain of salt. I was in Southern Japan.
00:18:36
Speaker
I was at a factory. They were not aware a woman was coming. So first of all, the people who were hosting me did me a disservice by not announcing me as a woman. So they assumed I was a man because I have a name that I guess looks like a man's name. okay so um Went into the factory. We're there for an extended security assessment. Got to the point where we had an interviewer room. So they lined us up in proper order and we had our name tags and all the things.
00:19:05
Speaker
And I went to ask a question and they looked at me like they were looking at the wall behind me. Like they saw straight through me. Didn't even acknowledge my existence. Kept on talking. Didn't even, I asked again. They ignored me. I finally get on to the point where I turned to my partner and i I asked him to ask. And as soon as he asked, they answered, no problem, happily. And it dawned on me that I didn't matter at all.
00:19:34
Speaker
And ah I held my composure and got through it and went back to my hotel room and bawled my brains out because that was the first time really in a long time that I had been disrespected regardless of who I was or my expertise just because I was a woman. And I'm saying that's pretty extreme, obviously. But there's been other times where I've been told to be quiet, move faster,
00:19:58
Speaker
ah There's been other times where I've probably been mishandled physically in that regard, in in a room, in a board room. There's a lot of things that stick with me, and sometimes it's really hard to think back to that. But then I realized, look how far I've come. I am a founder of a company. I have a very niche service. I'm still here.
00:20:24
Speaker
So there's kind of a big fuck you I'm still here, you know, and um I'm going to keep going because I have to not only show the women that are coming up through the industry now and anyone else that you can still do this and still be here. But on top of that, I have the moxie to do it. It's not easy. And it sucks sometimes I'll be honest, George, like I feel like a party of one. yeah I think you've used the word exhausting. Do you know how many times I want to put on LinkedIn that just says, I'm exhausted. Who's with me?
00:20:58
Speaker
um Yes, it's exhausting. But at the same time, when I. I have a random person come up to me at a conference and say that they're inspired or that something I said made them stay or because I introduced them to somebody else or they knew somebody else, they stay. So it's the community that saves me a lot. And i'm I'm grateful for that for sure. And I do have good people around me, but yeah, there's a lot of shitty moments. Yeah. I can i can only imagine that. And I have to tell you,
00:21:33
Speaker
You know, like, uh, as a person who's also from a marginalized community, like, uh, it sucks to hear that you have this experience going all the way back from your IT career and in your current place now. But I do hope that.
00:21:46
Speaker
You know, doing this show and doing some of your future projects brings that respect. That's kind of the whole point of what we're doing. So thank you for still fighting the good fight. And as I threw the episode where, you know, halfway through it, the expertise you've demonstrated, I think is worthy of looking at it's worthy of contracting. People should come to you. They should give you their business. And I hope that it gets there. Thank you for being like an advocate in the voice of strength that you are.
00:22:14
Speaker
Always. I always I can't not. I have a problem. I can't help it. Well, thank let's take let's take a pause at the fuck you energy because we're here for that. And then we'll be right back for brass tacks.
00:22:29
Speaker
um Hey listeners, if you dig the snark, the stories, and the big swings we take, we'd appreciate your support. You can now become an official supporter of the show. You can send us a one-time gift or sign up as a member to provide ongoing support. Memberships start for as little as $1 per month. Just follow the link in the show notes. Each membership tier comes with a unique set of benefits, including exclusive discounts to the BKBT swag shop and even advisory services for your team. So really, for less than you'd pay for one cup of coffee per month, you can support the show.

Strategies for OT System Protection

00:23:08
Speaker
It covers our hosting fees, helps us make cool swag, and it lets us know that what we're doing is valuable to you. Many thanks to listener Elizabeth Ramirez for her recent pledge of support. We'd love to have yours too. Now, back to the show.
00:23:25
Speaker
And we're back. All right, Kristen. So let's get into the brass tacks portion. So now we're going to get into solution oriented thinking. So before was problems. Now we're going to do fixes. So first thing, the problem with OT in this and based on my experience with it,
00:23:42
Speaker
um It comes down to legacy systems that weren't designed for integration now being plugged in, particularly into systems that are open web connected. With a focus on, let's say, food security at a high level, talk to us about how organizations of various sizes across the entire supply chain can take a more proactive approach to protecting their OT, other than calling you.
00:24:07
Speaker
It's a bunch of things, and it's pretty standard, what I'm about to say. So I'm sure everybody who's in OT listening will be like, yo, if you don't know what you have in your environment, how the hell are you going to protect it?

Building the OT Workforce

00:24:18
Speaker
So get an asset inventory together, please, for the love of God. And don't just rely on some network scan. Go out and physically walk your floor and see what's plugged in. You'd be surprised how many machines aren't up all the time. They come up like once a quarter, and they're and the most important for production kind of thing. Seen it many times.
00:24:36
Speaker
The, uh, the other thing I would say is, is you need to understand your business and your industry. So specifically in food, you need to understand that if you're in a food company, you kind of need to care about food safety as a cybersecurity professional, because if your food is poisonous or poisoned or fraud, you're going to know about it and you probably aren't going to have a job for much longer anyways, because company will fold. So you need to understand that your processes and the people in the people you interact with.
00:25:06
Speaker
need to be part of your strategy. The other thing I say too is, ah and I always say this, role-based training. Role-based training for security. Get on the floor, talk to the operators. Have a training that's geared towards them, but don't don't just make it about work. Anything you teach them, will be they can take to their home too. I know it's not, it' sometimes it's about strong passwords, but it's not always about strong passwords. It's about recognizing behaviors.
00:25:33
Speaker
um And having a more security conscious presence about yourself. Somebody said to me the other day that it's, I have my evil mindset on, which I thought was really intense. um I just say it's a security mindset because that sounds less scary. But or but I mean, example example would be, ah let's talk about Boar's Head for half a second. I think we all know what happened in the news. Nobody's touching that meat for a while kind of thing.
00:25:59
Speaker
And they close that plant that is like the source of jobs for that. 500 people lost their jobs. Yeah. And that's really crappy, really crappy. But on top of that, you can't tell me that IT t security or any other department didn't see that shit going on in there.
00:26:16
Speaker
So you have a responsibility as an employee to, if you see something, say something. That's security mindset, right? So that goes hand in hand to me of being a security professional. It doesn't mean you're a snitch. That doesn't mean you're being you know ridiculous. It means you're safeguarding lives in your own, your livelihood, other people.
00:26:35
Speaker
ah The other thing too is get to know your food safety, food defense, food protection, and food security teams. Get to know your quality people. Walk in the lab if they let you. Obviously make an appointment, kind of knock on the door. Don't like barge in and say, I'm security. I'm here. Don't do that. But like make friends. Talk to people. Don't just stay in your ivory tower. It sounds like you're saying get out from behind the computer.
00:26:57
Speaker
I am. And I know that's scary for some people because some security professionals like to stay behind the keyboard, which is fine, but this is not your job then. You need to make sure that you stay in a job that's good for that. You have to almost be, and I know it's a dirty word, you have to be a bit of a politician.
00:27:14
Speaker
You have to go shake hands and kiss some babies because if you don't know what's going on, I can't do anything about it. It needs to be part of your business continuity, part of your disaster recovery. That means understanding your industry, your business. And I think as security professionals, we tend to say very generic sometimes.
00:27:33
Speaker
Which is fine. If you only want to be a generalist, that's awesome. Go go do that. But when you have things that are life-threatening, like OT, you have to pay attention more. It would kind of be like a fireman who only gets excited about things when it comes to a fire, instead of actually caring about the ambulance call that's going out from their station, that they don't want to be part of it because they only want to fight fires. That's stupid. That's a good analogy.
00:27:59
Speaker
Well, it would be because my dad's a fireman and he was an EMT, so I can make that analogy. So or earlier you had mentioned um there are not many of us and you sort of touched on level of OT expertise writ large.
00:28:14
Speaker
um I am hesitant to say skills gap. I think that's pretty loaded at this point. But I guess what are some recommendations you have or ideas around improving and increasing that OT operational capacity and expertise in terms of just power like labor you know in the in the security workforce.
00:28:39
Speaker
I think a lot of it comes down to is people need to get a different mindset about it. It's not always a hard hat and steel toed boots and an oil rig. you know If you wanted to be that, you totally can be. Sometimes it's ah i don't know a CD DVD factory. Sometimes it's a food factory. Sometimes it's a semiconductor. Sometimes you're walking through an elevator shaft. Sometimes you're in a building. It just depends, right? It depends on what they're looking for.
00:29:05
Speaker
is increasing exposure, maybe yeah like to the entry level. We are exposed to it all the time. Right. So being curious of your environment. I mean, every time I give a talk about OT, I always point to the elevators. I said, did you ride the elevator today? Congratulations. You rode in an operational technology device. Congratulations. Have a nice day kind of thing. Like people need to change their mindset because it powers our whole world. Right. So we're actually around it all the time. And I think people need to be less intimidated by it. They think they have to be an engineer or um You know, some type of a, I don't know, super smart MIT type graduate, and you don't. Not at all. In fact, we need people to be more human. The more empathy and humanity you could give to operational technology, the better it will be to secure it.
00:29:50
Speaker
There are tons of resources out to train on it. In fact, there's a good friend of mine. Mike Hocham has 96 hours for free on YouTube about OT and ICS. He's even made coloring books to help you learn. Like the man is, he turns out stuff and also shameless plug for B-Sides when and if you want to go ICS OT. So I think that There's plenty of opportunity. The community is really welcoming. Everybody talks to everybody. I get messages every day asking how I can help them get you know more knowledge. And I always give them anything I've got. I've done training courses, which is super important to do. And it's fun. Yeah, so I have to ask though, like, where then?
00:30:33
Speaker
Beyond the training and beyond that, like, how do you then get people into it? Right. Because a lot of people they get into security because they think pen testing, they think architecture, you know, they think like red teaming, they think all these like basically the the weirdo like dude in a hoodie in a basement with like, you know, monitors around them kind of thing.
00:30:55
Speaker
So how do you then go out and start recruiting and developing talent specifically in the

Importance of Diversity and Representation in OT

00:31:01
Speaker
space? Like, how do you convince people? Is is it a college thing? Is it a pre-college thing? Is it like just posters? And like, how do you make this cool? The easiest way to get in is just to start asking questions in your own company, because there's OT there, you know, ah get to know your engineering team.
00:31:22
Speaker
Make friends. Make friends with people that are working on the products that you want to try to help protect and serve, if you will. The other thing too is, like I said, there's tons of free resources. A lot of people just kind of fall in because they end up doing like IT work or you know other generalized security work at an operational technology company. So say I started in a bakery company.
00:31:44
Speaker
I mean, I didn't think about OT when I started there, honestly. I didn't even realize there was OT there because I clearly was just as dumb as I thought, you know, I didn't know. And um I kind of just fell into it that way. But there's such a need for it. And there's just not enough people that do it. I mean, I was at a very large company that's a very well-known company.
00:32:09
Speaker
and they didn't have anyone on their global security team that did factory security. And 52% of the revenue came from manufacturing. So I think people don't want to go near it because they think that they have to wear the hard hat and the so steel toe shoes and oil rigs and things like that. And they think they have to have a degree in electrical engineering. You can go get a degree in electrical engineering. You can go get a degree in astrophysics for all I care. It doesn't really matter. I have a degree in environmental management, which technically qualifies me for OT in some ways if I want to do wastewater removal treatment facilities and things of such. but
00:32:48
Speaker
That was an accident. I tried to get a degree that had nothing to do with what I did. Whoops. yeah It happens. But i i can I tell people all the time, look, I started my career.
00:33:00
Speaker
in break fix hardware, right? I drove a geek mobile around Washington DC. You can't get any more ridiculous than that, right? You really cannot. And I've managed to get to where I am today. I didn't start an OT. I was just around it as a child. I never made the connection that hanging out with in a fire station was hanging out with industrial control systems until I got older. I guess I kind of always had it in me. And a lot of people have that same reaction. If you come out of the military, if you were any part of the military, you're probably around it because since a lot of us are little cities that pop up, right? Or a ship or a submarine. Those kinds of things are already kind of preconditions your mindset into that systems thinking holistic approach that you'll be perfect for OT on.
00:33:48
Speaker
But it's hard to break into. It's hard to stay. Sometimes it depends. And it's a small community. It really is a small community. I mean, we're getting a little more mightier, I think. I definitely see more people at conferences now than I did before. And we have our own sets now of conferences, which is great. And the community at large is great. But we need more people. We need people to come in. So in terms of people, we also know representation helps. um and well
00:34:19
Speaker
Let's talk about that conference, right? There was a con there was an ICS OT conference, uh, late last year that had 82 speakers listed on the agenda and nine of them were women. That strikes me as like.
00:34:37
Speaker
worse than the standard in cybersecurity, which is saying something. It was actually worse than that, George, because they had people cancel the last moment and they filled the spots with men when there were women available to take them to. Yeah. So so you you were telling me that like that's the thing that irks you, that there are there is that talent. There are engineers, there are specialists, there are executive leaders.
00:35:01
Speaker
And but they're not being seen, right? They're not getting the same air time. They don't. So if you are talking about people trying to enter a workforce and they look and they see a room full of people who don't look like them, it's like, oh, maybe not this, not for me. I don't know what. So we don't want to complain anymore because we will punch that in the face. But ah let's talk about that. Like you're working on besides OT. So like.
00:35:30
Speaker
What are some things behind the scenes? I mean, I think creating your own conference and sort of pulling strings there and your weight there certainly helps um as a you know an exemplar of what you want to see. But what what else can we be doing?
00:35:45
Speaker
I will say that I'm very grateful that Mike Holcomb, who is the founder of Beside's ICS OT, was very conscious of making sure it was 50-50 women speakers and male speakers identifying male or female. And also that there was a women's event and that we were talking to the women that were going. So I get actually just got introduced to a woman who's coming over from the Netherlands. and wanted to know about that. so And she's coming on her own dime, which I think is amazing. There are other conferences that offer sponsorship for women.
00:36:18
Speaker
The selection process is a little questionable, but that's a story for a different day. And I think that there are people that are trying to do the right thing, but the problem is is they're not talking to the women. They're kind of making their own decisions in their own mindset. And that really bothers me. And I'm really tired of that because it's this is not a woman problem.
00:36:41
Speaker
This is not a woman problem. We're here. We're trying to be here. um I can only jump up and down so many times, and then I just become a then i just become a bitch, right? like i can That's what it becomes. So I have to find a way to continue to put a smile on for the women that are coming in, but I'm also real. I've had these conversations with some of the other women in OT and ICS, and they tend to be kinder, but I get real with it. I'm like, look, you're going to go through some shit. Here's what's going to happen.
00:37:10
Speaker
I hope it doesn't happen, but I want you to be aware of what's going to go down. You need to make a decision right now if you're going to plant your flag, where your battles are, if you're going to pick a fight here or are you're going to wait. Just know that it's hard. You're going to get a lot of sweethearts and honeys and you know touches on the shoulder or wherever else and you're not going to want it. You're going to get weird hugs.
00:37:32
Speaker
But then you're going to find the right people and they're going to treat you like a little sister or they're going to treat you like your daughter, their daughter or something like that. And then those are the people you're going to hang out with and those are the people that are going to protect you. But don't ever feel like you can't raise your voice. Just know that it's not your job to make anyone feel comfortable. And I actually have a sweatshirt that says it's not my job to make you comfortable because so I don't want to live in a world where I am responsible for someone else's comfort.
00:38:00
Speaker
That's stupid. like yeah You're a grown person, figure it out. And I think that we we're looking we have spaces together as women, but I would like to air one small grievance. And this is something that's very frustrating. We have a small group, but sometimes we are counterproductive for our own initiatives.
00:38:20
Speaker
where there ends up being a little bit of elitistness sometimes where, well, my group's not going to interact with your group because whatever. Or we don't want you in our group because you're doing this type of work and we only take these type of people or you live here. in reality And it's so dumb. It's so dumb. And it it drives me. Someone told me today that it grades their soul. And I thought that is like the best representation of how it feels when other women start in fighting for no particular reason other than the fucking patriarch patriarchy is winning again.
00:38:51
Speaker
and it does grade my soul.

Call for Collaboration and Inclusivity in OT Cybersecurity

00:38:54
Speaker
Yeah, George and I have a pretty understandably hard take on the it's just divide and conquer really just set the marginalized against each other ah so that the rulers stay in place.
00:39:07
Speaker
it's like It's counterproductive and dumb. So I think that as long as that doesn't continue to happen, I think we'll be okay. But we do have women's events for OT-ICS and they're great when they happen. ah we Like I said, we have a good group of women that are trying. There are a large group of women in OT and ICS that are very quiet, very meek. They will never come forward, put themselves out at all. And I want to protect them because I think that they're treasures. And if they don't want to be forward, that's okay.
00:39:33
Speaker
let us do it who want to be out and proud and and loud and obnoxious. But I want to encourage women to stand up and speak even if they feel like they're not good enough or their're did their research isn't good enough or there're their experience isn't good enough because it is.
00:39:50
Speaker
I know we've all seen, and even the listeners will agree, that we've seen toxic conferences that we're like, what the hell? Who is this person? Literally. like What are we talking about? Sand? like What's happening? I don't want to be in here anymore. and I always say, your talk will be better than that because you actually have something to say that's important that people need to hear.
00:40:10
Speaker
Yeah, it harkens back to what we heard from Michelle Eggers, right? New to pen testing mainframes, but she was like, you still don't know what I know. You know, she's like, I haven't done this for decades, but I still know something that you don't know. And just being able to sit in that and be like, and claim that.
00:40:25
Speaker
Yeah. And I think the excuse of I'm nervous or I have anxiety or fine, you can have all you want. But then to look at the women who do speak regularly and in the podcasts and everything else and think that we're, you know, have these superpowers. No, I do it because I have to do it. It's not a, you know, because I have a superpower. We need people to stand up. We have to do this. I'm convicted with it.
00:40:50
Speaker
And I think OT is such an important mission that we need to have different diverse voices in it to be secure. We have to have that. If we do not, how the hell are we going to protect critical infrastructure? We're clearly doing a really shitty job with it right now. And I'm sorry. I know that's probably going to piss some people off. I'm sorry if you get some nasty grams from that comment, but we really are. I don't have to give examples. California is on fire. You know what I mean? like Here we are. Let's do better because we can't keep doing the same thing over and over again with the same thought process. So we need to get more diversity in. Awesome. Well, that's a, that's a perfect place to end. Kristen, thank you so much for coming on the podcast. I'm glad we could finally make it happen. It's my pleasure.
00:41:41
Speaker
If you liked this conversation, share it with friends and subscribe wherever you get your podcasts for a weekly ballistic payload of snark, insights and laughs. New episodes of Bare Knuckles and Brass Tax drop every Monday. If you're already subscribed, thank you for your support and your swagger. Please consider leaving a rating or a review that helps others find the show. We'll catch you next week, but until then, stay real.
00:42:09
Speaker
I've been stuck mentally this entire answer because I want you to make a movie and call it OT and me. yes yeah