Bites & Bytes Podcast
Safeguarding the Grid and the Plate: OT Insights with Aaron Crow, Host of PrOTect IT All Podcast
Mon, 26 Aug 2024
In this special joint episode of the Bites and Bytes Podcast, host Kristin Demoranville teams up with Aaron Crow, the esteemed ProOTect IT All Podcast host and Senior Director at MorganFranklin Cyber. Aaron brings over two decades of experience in the cybersecurity domain, with a particular focus on operational technology (OT) and critical infrastructure. Together, they explore the evolving landscape of OT cybersecurity, discussing the challenges and strategies involved in protecting both the power grid and food supply chains. Aaron shares his insights from his extensive career, including overseeing cybersecurity protocols at over 40 power generation sites, highlighting the importance of cross-industry collaboration. Whether you’re in the food industry or power utilities, simply passionate about cybersecurity, or even curious, this episode offers valuable insights into safeguarding our most vital systems. _______________________________________________ 🏆 Vote for Bites and Bytes Podcast for Women in Podcasting Award 🏆Voting Opens on August 1, 2024, and closes on October 1, 2024 https://womeninpodcasting.net/bites-and-bytes-podcast/ THANK YOU! 🤩 🎉 _______________________________________________ Aaron’s Info: LinkedIn Website Aaron Crow has carved a niche for himself as a prominent figure in the cybersecurity domain, particularly within the power utility and operational technology (OT) sectors. Currently serving as the Senior Director at MorganFranklin Cyber, Aaron focuses on OT cybersecurity across critical infrastructure, where he applies his extensive experience to safeguard vital systems. His career, spanning over two decades, showcases a dedication to enhancing cybersecurity measures in critical infrastructure environments. Aaron's extensive experience includes a notable tenure as Manager of OT for power generation at Luminant (Vistra), where he was responsible for overseeing cybersecurity protocols across more than 40 power generation sites, including a vital nuclear power plant. Aaron's expertise in the field is further evidenced by his impactful roles at EY, a leading Big 4 Consulting Firm, and Industrial Defender. At EY, he held the position of Senior Manager, leading transformational OT cybersecurity programs for a wide array of significant critical infrastructure clients. His leadership and strategic insight were instrumental in addressing and mitigating multifaceted cybersecurity challenges. As the CTO of Industrial Defender, Aaron significantly influenced the company's product development and strategic direction, demonstrating his ability to innovate and drive growth within the OT cybersecurity space. Beyond his professional achievements, Aaron is deeply committed to contributing to the broader cybersecurity community. He is the host of the "PrOTect IT All" podcast, where he has recorded over 50 episodes featuring discussions with some of the most recognized thought leaders in the OT cybersecurity field. This platform has become an essential resource for sharing knowledge, trends, and insights, further solidifying Aaron's role as a thought leader in the industry. In addition to his professional and community contributions, Aaron holds an advisory position with Building Cyber Security. This role leverages his comprehensive experience and dedication to advancing security practices within building management systems, emphasizing his commitment to improving industry-wide cybersecurity resilience. Aaron's distinguished career in cybersecurity, particularly within the power utility sector and his extensive work as an asset owner, underscores his profound understanding of the challenges and complexities inherent in securing critical infrastructure. His expertise, leadership, and commitment to the field position him as a key figure in shaping the future of OT cybersecurity, making him a valuable asset to any organization or initiative aiming to enhance cybersecurity measures in critical infrastructure environments. _______________________________________________ PrOTect IT All Podcast About the Show: Welcome to "PrOTect It All," the podcast where we peel back the layers of cybersecurity to reveal the core strategies, challenges, and triumphs of protecting our digital and operational landscapes. We're thrilled to have you on board for an upcoming episode! Your insights and experiences are invaluable to our listeners who are eager to learn and engage with the leading minds in IT and OT security. As we gear up to dive into conversation, please feel free to share any specific topics or stories you'd like to discuss. Our audience appreciates both the technical deep-dives and the high-level overviews, so bring your unique perspective, and let's make cybersecurity accessible and engaging together. Thank you for joining us on this journey to foster a more secure future. We can't wait to hear your voice on the "PrOTect It All" podcast! _______________________________________________ Episode Key Highlights: (01:39 - 02:49) Food and Ag Cybersecurity Innovations (05:51 - 06:41) Difference Between OT and IT (10:17 - 11:19) Importance of Agriculture in Critical Infrastructure (16:47 - 18:33) Building Resilience in the Food Industry (22:41 - 23:34) Legacy Tech Challenges With IoT Integration (28:35 - 29:44) Understanding Cyber Physical Systems (36:05 - 37:06) Potential Chaos in American Disaster Response (43:22 - 44:23) Cyber Attack Threatening Lives Through Food (47:31 - 48:04) Resilience in Food Industry Cybersecurity (51:36 - 52:51) RFID Tag Duplication Risk _______________________________________________ Bites and Bytes Podcast Info: TikTok Website: Explore all our episodes, articles, and more on our official website. Visit Now Merch Shop: Show your support with some awesome Bites and Bytes gear! 🧢👕 Shop Now Blog: Stay updated with the latest insights and stories from the world of cybersecurity in the food industry. Read Our Blog Audience Survey: We value your feedback! Help us make the podcast even better. Take the Survey Schedule a Call with Kristin: Want to share your thoughts? Schedule a meeting with Kristin! Schedule Now
Thank you.
Welcome to the Bites and Bites podcast. I'm your host, Kristen DeMoranville. And today we have something really awesome for you. I've teamed up with Aaron Crow, the Protect It All podcast host for this joint episode. Aaron and I chat about operational technology or OT, exploring how this critical area impacts industries from power to the food sector.
Whether you're a cybersecurity pro or a food professional or just curious about how these issues affect our daily lives, this episode has something for you. So grab a snack, enjoy your workout, plane ride or commute and get ready for an enlightening conversation. And hey, while you're here, don't forget to like, subscribe, and share this episode with your friends and colleagues.
If you haven't already, check out our website for more content, including this episode, blogs, and the merch shop. We've got some really awesome t-shirts, hats, aprons, and even a few other surprises. Let's get to it.
Awesome. Hey, thank you for joining me. Kristen, why don't you introduce yourself? Tell us who you are and what it is that you do.
Okay, great. Thanks for having me on the show. I am Kristen DeMaranville. I am the host of Bites and Bites podcast. That's bites like you bite something and bites like computer bites, where I talk to cybersecurity and technology professionals and anybody else in the food and agricultural industry about cybersecurity and technology and what that means to our food supply. It's a really fun show.
So you can check us out. Also, we're kind of doing a joint episode here. Welcome to my listeners as well. But what I actually do, I am the CEO of Anson Sage, which is a cybersecurity firm that's focused on the food and ag industry, mainly risk management, OT related assessments, those kinds of things, trainings, lots of trainings.
I keep writing lots of trainings on what it means to be a cybersecurity professional in the food industry and how to be a better food professional with cybersecurity knowledge. So And then the other thing I am, I'm also CEO of Anzen OT, which is a OT resilience intelligence management platform.
Risk intelligence really features different things like cyber PHA assessment, scenario building, playbooks, lots of really cool intelligence things behind it. It is new on the market. We are a new startup. So come check us out there. I'm happy to talk about that all day long as well.
Very cool. Well, and for your listeners that maybe don't know me, my name is Aaron Crow. I've been in cybersecurity and network security and this OT thing before it was ever called that. I grew up in working in critical manufacturing, power utility, a lot of those critical infrastructures. I actually do have some experience in the ag side as well. I'm from Texas.
So, you know, there's a lot of plants and things like that in this space from chicken plants and a lot of, you know, ranchers, et cetera. Right. So, you know, I've I also have a podcast, Protect It All, and emphasizing OT and IT. I do emphasize a lot of that in the OT space. But as we talk about this stuff, I had this conversation. This is, what, the 14th of August when we're recording this.
And I just came back from Black Hat and DEF CON. And I had so many questions and I work in the ICS Village. I'm a volunteer in the ICS Village, which is a nonprofit. If you don't know about that, definitely check it out. ICS Village is great. They do a lot of training and nonprofit things to kind of spread the word for operational technology and the importance of it.
But a lot of the conversations I was having at DEF CON, I've got this really cool blinky light OT wall that's got a PLC and secure mode access and a firewall. And it's really just a conversation piece to help people understand and I got so many people, this is 2024. And there's so many people that came up to me and were like, what is this? So I said, oh, well, this is OT in a box. What's OT?
And I'm like, oh, okay. Like we still, many of them, and I love the question. Like I'm very glad that they said, I don't know what that is. Like, or some of them were like, I've heard of it. I don't exactly know what it is. So it was great to just be able to have that conversation, explain it. And there was one gentleman that he was going for his PhD, his dissertation.
And he was he was writing this dissertation from an IT OT convergence. We hear that all the time. I know my face did the same thing when he said it. And we had this conversation. He's like, well, I think OT and IT have already converged. And I'm like, really? Like, explain that to me. He's like, well, the technology is the same. OK. I'm like, he goes, it all OT now all has IP.
So that means it's IT. And I'm like, oh, no, no. So I had a 30 minute conversation with this gentleman about why I feel that OT is different than IT. The technology is the same. Like we see VMware and network servers and switches and all that kind of stuff that we have seen in IT now in OT. But the difference is, is what we do with it and what it impacts, right? And the implementation of policies.
I can't just take an IT policy and push it into OT because it breaks stuff. It just doesn't work. And we've seen that and it doesn't matter the vertical. You're in agriculture, in power utility, in oil and gas, in wastewater. It doesn't work to push it down in that way because it breaks stuff. And it's just a different way. Like we just saw this CrowdStrike.
I talked about the CrowdStrike incident a thousand times this week. That's a great example of I should not be patching or pushing updates to my OT systems. Just, hey, send it all. I should be sending to one at a time so that I can test and make sure like, We should all have a testing plan. And it's not a CrowdStrike issue. It's a policy.
It's the people and process side of people, process and technology that are really the biggest difference in OT versus IT. So that was my long rant of who I am and what I do and why I'm so passionate about this thing that we talk about.
I think the biggest difference between IT and OT, and I'm maybe a little bit more blunt than you in this regard, but I always say, well, IT is more about data, right? And OT is about safeguarding lives. It could kill somebody. IT is not necessarily going to kill anybody, right? Yeah. So it's a different mindset altogether where you're focused more on the people process side and the tech and OT.
We want to make sure it just stays up and available. So, you know, someone doesn't fall into a vat, becomes part of the muffin mix, you know, or they don't get electrocuted or they don't drown or they don't do anything that's awful and horrible. And nobody ever wants to go through that. And IT isn't dealing with people's lives necessarily. Right. probably is a little crossover there somewhere.
But generally speaking, when I worked in IT, I was never worried about people's lives. I was more worried about my own life and being assaulted by an end user because they were upset. That was really probably my biggest thing there, right? OT, I was worried about me getting like catching on fire, watching somebody else get caught on fire and all these other things happening around it.
And I go back to those analogies because I think that's how it works a lot. We have to just keep talking that way to find that connection, that relatability. Oh, convergence. I cannot stand that term. Like it's right up there with like air gapped and a few other terms that we say a lot because it's just, it's silly. Like we got to stop putting terms on everything because it's not helping.
It's just becoming more of a problem where we just need to focus on we're trying to protect and safeguard lives along with making sure that all these services that we support stay up and running because we like running water. We like electricity. We like the food that's on our plates.
We like that we can just go to the grocery store and buy whatever we want, whenever we want, because there's no seasons in a grocery store now, those kind of things. And that's why I love working in the industry, because I feel like I'm having an impact. I'm sure everybody in OT can say this, and I see us, is we feel like we have an impact on the greater good.
And if you say greater good back, we're best friends, by the way. That's the response you do. Absolutely. Yeah. And that's how I feel about, especially the food industry, because it touches so many aspects. All the suppliers, the third parties, things you don't think about, the containers that food comes in. That has to be done in a food grade level in terms of manufacturing.
How we're interacting with the food, food safety aspects. all these different things. I just, it's like a jigsaw puzzle. I love it because it really expands your system thinking and you have to realize everything is in a holistic sphere.
And I think that's what we do as OT as well is we're like, Oh, if something goes wrong here, up here at like, you know, three o'clock is not going to be really messed up. If seven o'clock is messed up, obviously this is going to cause a problem with the whole is we all understand how production works because it's all the same, right? It doesn't matter what you do.
I mean, it's the same type of thing. Materials come in, they get mixed up and kicked out the other way, but that production, process in between the thing that's the most important and the biggest issue is the people in the process. Because technology is not going to cause the problem. It's people. And they'll circumvent everything we do to make sure it gets done because they don't care.
They just want to get their job and go home, right? Right.
Well, and it's always been that way. Even back when I was an IT person, my first job in IT was like a desktop support. And, you know, our joke was always like, if we take the users away, my job would be easy, right?
Absolutely.
yeah because because i can make the technology work it's the people that cause my problems like they they're clicking on something you know this is way back in the day dating myself but you know the the old school desktops the big tower things and we would literally have people use the cd-rom as you know coffee cup holders and then their cd-rom tray would break off and you know we don't have cd-rom trays anymore or even cds for that matter um
So funny.
End users are the best and the worst at the same time. They're the best line of defense and the worst. I once walked into a factory. I think it was a media factory. So made like DVDs and CDs and games for consoles and things like that, which still exists. Console games apparently still exist. I didn't realize they were still making them.
And their help desk that was on site actually had a sign that said, if you ask a dumb question, I will light you on fire. Yeah. I just, I died because I was like, wow, first of all, HR violations for days, but good for you. You set the pace of what's going to happen when someone walks in that room looking for help. So I can appreciate the end user comment.
Yeah. And it's the same in any industry, right? But speaking of, so I know you spend time and a lot of time in the agriculture. Before we started recording, we kind of talked about how it doesn't get as much limelight as some of the other more popular, I guess is maybe not the right term, critical infrastructure, power utility, oil and gas, even wastewater and water. But
There are 17 critical infrastructures in our country deemed by DHS and Department of Homeland Security. So why do you think, two things, why do you think that agriculture doesn't get the attention that it may deserve?
And secondly, what are some of the common problems and maybe even unique problems that agriculture has in the space that we need to make sure that we're thinking about from an OT cybersecurity perspective?
This is such a big question and I don't have the right answer. So I'm just going to kind of give you some train of thought on it.
Sure.
Agriculture and the food industry as a whole wasn't added to the critical infrastructure number for CISA or Homeland Security until 2020. That wasn't that long ago. You know, that is disturbing, first of all. I think it's a kind of a twofold issue where people think that the food industry doesn't have any money, which is hysterical because, I mean, Mars just bought part of Kellogg's today. Right.
As of today. And that was a $300 million deal, I believe. Don't quote me. Sure. But it was something ridiculous. So tell me again, there's no money in the food industry. Right. Also, I believe the largest payout for ransomware to date that we're aware of, and I say that loosely because we don't know at all, was the food industry. Right. So there's money. So I don't buy that really very well.
I think the actual reason is because nobody's got a handle on what the actual supply chain for food looks like. Right. And that was shown very clearly when the ransomware for JBS hit the meat company. Right. Because it was awful and still is.
I was actually just speaking to some people from the cattle industry last week, and they were expressing their frustration of just how difficult it is to manage their supply chain. So what if a supplier gets hit like JBS? How do the grocers purchase any meat? They can't purchase it from them. So where do they go? Is there a backup plan?
You know, there's all these questions that I went even further and said, what happens with JBS? Because the cattle couldn't get slaughtered in time. So then you've got cattle that's standing in trailers or holding pens. You can't retract them to the farm because they don't have feed or space for them probably by then because they've already rotated. There's all these.
So who does the burden fall onto? The rancher? Oh, God, I hope not, you know? Right. Does it fall on the distributor? They don't have overflow pens necessarily. Nobody's ever tested their backup incident response plans. There's no disaster recovery. There's no BCP because people just think, oh, well, you know, it's like business as usual.
We're just going to lean on people around us in the community. But the community has shrunk because... We're losing agriculture jobs every day because people are moving to cities. It's not as popular anymore. It's trying to get a little more trendy.
I'll be honest around like regenerative agriculture, because you can be a total nerd and geek and still farm because now you can bring your cyber truck out to move your chicken house. Which looks sexy, right? Like not that it's not sexy, but it's just the concept of it is sexy. You could use, you know, hybrid cars or plugins to do that work. So that kind of is attractive, obviously.
I've been kind of joking around. It's like cyber farming, you know, in a way. Yeah. I'm don't quote me on that. Cause if somebody brands that, I'll be like, well, but those kinds of things, people just don't have a good handle on the supply chain at all because it is huge.
And instead of actually, and I say this all the time and I ripped this off a friend of mine, that's an OT in the UK, but we literally keep trying to boil the ocean, find that silver bullet moment when we just need to sit down and make a cup of tea.
And if we start focusing on the smaller aspects, like, you know, people process, because honestly it's probably the easier and less expensive to deal with. And then move to, okay, we've got these technology that are in these environments. What are we doing with them? There are companies out there turning tractors into autonomous vehicles via like a little kit. That's O-T-I-C-S.
Like, hello, does the industry know that? Did you know that, listener? Did you know that? Like, that's stuff when I hear that, I'm like, oh my God, did anybody talk to the security teams around these? Like, the farmer doesn't have a security team. Mm-mm. The farmer doesn't have time for that. They are just happy if they break even and make some profit at the end of the year.
That's what they want to do. Keep their families fed, the lights on, their cattle fed. That's it, right? It doesn't have to be more than that. But here we are as security professionals who have been in the industry long enough, both of us, and we know just how bad it's going to get because nobody's been dealing with this. So my worry, and I know I'm jumping your question, Seth. Okay.
Everybody get it. What my worry is over the next three to seven years, roughly, is that we're going to have such a major foodborne illness issue out of the food industry because of some cyber attack that hit, whether it's nation state, bad actor, disruptor, brand disruptions, whatever, that we're going to be so rattled that we're not going to know what to do.
Yeah.
And we're going to do the wrong things. We're going to put a Band-Aid that needs to be a stitches situation. And it's just going to make the supply chain even worse. And that's my concern. And I've talked to a few food safety experts who've asked me on air, literally, hey, how many bodies need to be on the floor before somebody does something? And my response back was probably a lot.
And I hate to say that out loud. And the person who asked me that actually lost a child to E. coli poisoning. So it was this really personal moment of, I'm sorry to say, I just think we're not smart enough to deal with it ahead of time. Because people don't like being proactive. They just want to be reactive. And that's frustrating.
Thank you so much for tuning into this episode of Bites and Bites podcast in collaboration with Protect It All podcast. Your support means the world to me. I have some very exciting news. I've been nominated for the Women in Podcasting Awards in the technology category. Yeah. Please vote for the show.
Your vote would be a huge help in gaining visibility and raising more awareness for cybersecurity and food and agriculture. Voting is open now from August 1st till October 1st and the link can be found in the show notes. Thank you in advance. I appreciate you taking the time and I couldn't be more thrilled that the show has been nominated. Now back to my conversation with Aaron.
And I'm about to use some buzzy terms, so everybody just brace. But we need to move away from being in recovery mode all the time to being resilient, especially in the food industry. And that's what I constantly go in and talk about. You're going to get hit with an attack. I don't want to hear that you're not because you are. Are you prepared? And the response back is, I don't know.
that's bad let's get on it you know like that's let's just not even think about it i actually as an owner of a software company i actually got hit with a brute force attack a couple weeks ago and instead of freaking out we quickly triaged and everything was fine we didn't have any issues no breaches happened nothing like that but i actually afterwards i had this cackle laugh for like five minutes with like tears because i was like we're legit we got hit
because you got to turn it around to be like a positive in a way like oh yeah we're cool enough to be hit like right what did what did we do yeah sweet you know whatever we're doing is must be working our branding keep it going because we're doing well And I think if people started looking at it from that almost comical mindset, there might be the laser to roll through it.
But I am I am very worried about our food supply chain. And I'm not just speaking about the United States. I'm speaking globally because it impacts globally. It's not just here.
Well, and we saw so many supply chain issues during COVID like it really brought to it. It brought to bear how bad our supply chain in general was. We're already concerned with global warming and population and all of these things. You know, the way that we do farming today with, they talk about how our topsoil is, we have limited... Yes, we're limited in how we can do that.
And regenerative farming is the way of the future. But how do we feed everybody with that method? And there's just so many things that go into that. You hit on something that I repeated probably a hundred times this week in all the conversations in Vegas, talking at Black Hat and DEF CON. And it's OT a lot of the times. It's not sexy.
The things that I need to do in the very beginning are not AI and quantum computing and all of these fancy buzzwords. Most of the time, it's very basic. You know, do I have a recovery plan? Do I know where my critical assets are? Do I have an asset list? Do I have a recovery option? Have I executed that thing? Does everybody know what part they play? It's usually basic, basic things.
tackling, right? And it's not all technology-based. Maybe, let's say it's 50%, which I don't even think it is that. Less than half of it is finding a technology solution, which there's some of the vendors that I work with that don't like it when I say that. I'm sorry, but it's the truth, right?
There is no product I can grab off the shelf that's going to take away all the risk if I install it in an OT environment. I wish there were, but there's not. There's just not.
There isn't. And there's no real collaboration there. It's getting better. I shouldn't, I'm sorry. I shouldn't say that because a lot of the OT products want to work together in some type of a collaborative environment, but there's still like, you know, this is mine. That's yours kind of thing, which is fine. And whatever, I get it.
But there's no, how is an end user supposed to navigate all these products when they're already working on slim margins and whatnot? Because you know, this being in the utilities, there's no money, like money's allocated out. It's forecasted to hell. Right. The food industry is the same way. And everybody runs on slim margins and slim production because they want to get things moving.
And they call it efficiency. They bring in just product enough that they have to get in and then push it out. It's never anymore. So there's no spoilage or overflow. The water industry actually is learning how to feed itself, as I say, where they're selling their gray water to data centers that are close by to them. Brilliant, brilliant strategy, right?
But that now means that OT is in data centers even more than it was before. Yeah. Has anybody thought about that? Because your cloud needs OT. Like, hello. It's pretty obvious. Right. And the water guys need more and more love because they don't get any either.
And I will advocate for them until I turn blue in the face as well, because we need water for so much stuff in the food and ag industry, obviously. And we already have droughts everywhere. So there's that. moment as well. Glaciers are melting.
We have droughts, global warming, fun times. Well, a friend of mine is I won't name the name, but a friend of mine works at a social media company with a very large data center. There's there's there's quite a few of them. It doesn't matter which one it is, but they have millions of PLC's millions.
Oh, yeah.
controlling all sorts of things from temperature to pressures to, you know, lights and air conditioning and valve. Like there's so much there's halon systems and all these different things. Buildings have OT like any skyscraper, even not even a skyscraper, just a normal building you walk into. There's controls around sprinkler systems and all these different things. OT is everywhere.
We just didn't always classify as such. Like it's a new term, relatively new term. It's been around forever. We've been doing automation since the fifties. and before really, but automation has been around. We've just started putting the technology side and putting IP addresses on it.
So we brought these other risks into this space, but the OT's been here for, I mean, my dad worked in power utility for 40 something years. He's in his mid seventies now. He's been doing this this whole time. He was never cyber related. It was always control systems and control engineer and automation and instrumentation and even continuing emissions monitoring as that came in to be a thing.
But all of these things have been around for decades. We're just solving new problems to old, adding new problems to existing and older problems.
It's true. And I have a similar situation. My dad was a fireman for 45 years and that was all industrial equipment and DLCs and various other things. And he never really made the connection until I explained what I did. And then he kind of was like, huh, so you're like a chip off the block kid, aren't you? Like, this is like a continual theme.
I said, yeah, civil service clearly runs with the family, dad. I mean, exactly. That's really kind of what we're doing is social service. But yeah, no, absolutely. The more we added tech into these environments, and I mean tech by like internet ready, IoT, that kind of stuff. The more we turned all these legacy devices onto the internet, they were like, whoa, what is this?
I don't know if I like this space. I might cause a problem now. It's kind of like you gave your grandparents like a cell phone.
Right.
or smartphone and they were like what is this and all of a sudden they started falling for all those scams it's kind of the way legacy tech works you know it's sort of just like oh hey you're my friend come on in i don't know you like and the problem is we didn't put any car rails around that at the beginning and now we're still kind of digging out and it's so funny because you go around the world and it's the same everywhere yeah it's no i mean that's that's the united front for us like it's it's really quite brilliant in that regard i thought i was going to deal with it less in certain countries than i did in others and it's the same all around
Right. Right.
you have here's the number it's about 150 or something like that right find them all like a scavenger hunt right yeah i think that'd be cool so if somebody does it let us know because we totally want to participate and probably dominate it and win it but i just act how i used to do it too when i'd be sitting around with people who didn't understand i said well where we are right now i can count at least six devices that are close to us that run that type of equipment and they're like well
I don't understand. I said that elevator, that alone, like, you know, that kind of thing. And it's, it's so interesting watching people realize, oh, well, I've worked with that kind of equipment before. Well, you've been an OT then. Like that's, I'm not saying you are an OT person, but you have worked in it before.
I actually jumped into OT at a bakery company and I didn't even make the connection. I was doing OT because I was doing IT. We didn't have an OT department. We were the OT department. But I didn't know all the really cool technology names and bells and whistles and things. I just was like, yeah, the thing that goes over there and doesn't kill anybody. Like that's all I recognized it as.
And realizing as I moved through my career, I was like, oh, I've been an OT for a while. Yeah. Okay. Like, that's fine. But I enjoy it because we're protecting people. It's not just about the data because data is sexy. Don't get me wrong. It's like, you know, the new gold and we all love it because it's cool and gives us good things we can look at.
But the idea to be able to sit at the end of the day and realize that you helped save someone's life and kept them to go home to their family. Like, that's amazing. Like, that feels really good. Really, really good.
And I want to continue to do that, especially when it comes to food, because we're like a breath away from a foodborne illness because we don't understand food security around the tech that's in these environments. And we just keep adding more stuff because digitalization is a huge thing in the industry. Sure. They've been automating forever.
You know, if you think about the food industry as a whole, how it's come up, you know, we originally were the ones plowing the field and then we attached the cattle, horse, and then we moved to the tractor and dah, dah, dah, dah. The food industry has been innovating forever. They're great innovators. R&D is fantastic. I mean, we have lab grown meat now. Hello.
Like these are things that are like kind of crazy. We can 3D print a salmon. It'll be pro team, but we can do it. So for me, why aren't we attaching cybersecurity to technology more? And I don't want to get into the whole product security conversation because that's a whole different rabbit hole. And I blessings upon the people who do that work.
But why aren't we having more of that conversation inside of these environments? It's because cyber needs a rebrand for OT. We literally cannot explain what we do very well. And I think if we could, we'd probably win more hearts and minds for that people process us for sure.
Absolutely. And the talk I gave it at DEF CON actually in the ICS Village was about cyber informed engineering, which came out of a term came out of Idaho National Labs, which is a DOE sponsored laboratory. And the whole concept around it is we need to build cyber as part of the overall system. and integrate that when I'm designing the system, cyber needs to be considered, right?
We've got old equipment, we've got legacy equipment, we've got new equipment. Anywhere in there, we need to be considering cyber as a risk and as a part of our remediation. How are we going to recover?
When we say cyber, people that are outside of this or even people at DEFCON and Black Hat, when I had this conversation, they immediately think, well, I'm a nation state, North Korea, China, whatever. It doesn't necessarily mean that. It can be simple ransomware. It can be misconfigured hardware. It can be an insider threat.
There's a lot of things, and it's not always bad actors from another country that are trying to attack us and start World War III. Some of them are, but not all of them.
Yeah, no, exactly. And I think we have to think beyond it inside of the OT environment. So I'll give an example, right? You have an allergen issue inside of a factory. So you have a peanut area and a non-peanut area. You have a disgruntled employee that goes from the peanut area to the non-peanut area. Whose problem is that? Right. Sure. Food safety, food defense. Absolutely.
You get that problem. But it's also cybersecurity's problem because with the industry that we work in, food and ag, cyber physical is still cybersecurity to me. Physical security is still cybersecurity to me. That access control should have been managed better, whether it would have been biometrics, if you could do that without gloves or those kind of things, eye scans, badge readers, that's cyber.
And IT, which also could be connected to OT depending on your access level control where you are. Cameras. There should have been cameras. There wasn't.
I mean, the only reason they found out is because they did some testing on the other end from quality and they realized, oh, whoops, we have, you know, peanuts in our cookie that we shouldn't have that go out to this major retailer, which they lost that retailer because of that incident. They lost it. They lost face. It was a mess. It was a total brand incident, total nightmare.
That to me is something that cybersecurity and OT should have been involved in. It shouldn't have happened in the first place because they should have set up parameters to get around that, you know, not to ever happen. And then on top of it, we should have had that conversation. We should have been part of that conversation.
That bothers me a lot that we don't think that far because that's a resilience piece. Because people are like, oh, well, that's not an adversary. That's not a cyber attack. It's an insider threat. To me, describing this incident to a food defense professional, they literally said that's terrorism. They would class that as terrorism on their report.
And I went, wow, so that's like domestic terrorism? They're like, yeah. And I'm like, whoa. So now we have a whole other level of things I didn't understand at that time. And now looking back on it and thinking about the system as a whole, yeah, we have a stake in this. We have responsibility. Access control is our problem.
And I've had to define what a cyber physical system is multiple times recently. I thought it was self-explanatory. I'm not picking on people who don't know, but I literally have had four people in the last two weeks ask me exactly what that is. And I've been on air when it's happened. And I'm like, well, it's something that can get on the internet.
Like, I guess that's how the best way I would describe it to you. It's something that could be both physical and cyber related. So push a button, pull a lever, but you can also sit on your couch and push a button on your phone. And people are like, oh, cyber physical. Wouldn't that just be IOT? I'm like, not necessarily. So it's a...
We've got some we've got some branding term issues we need to deal with in order to make this more mainstream, even though it is mainstream because we all eat and we all work and around this a lot. And I don't I don't think it's us. I don't know. I don't know what it is.
But we need kind of a rebrand in the OT side to be able to start communicating what we need in order to serve the companies and the people that we do. Because we can sit in a room all day long and geek out and get excited. We do every time we're at a conference together. Everybody's like, woo!
I will say that OTICS conferences are my favorite, not because I'm biased because I'm in the niche, but we have a different conversation. It's personal. It's almost intimate because we understand the human factor here differently. And we look at it like that in a very severe way. And like you said, it's not sexy all the time. We have to wear more protective gear.
It makes us look crazy all the time. I mean, you have hard hats behind you. I mean, I have had to wear multiple hairnets and like basically a shield and you have to like put yourself into a zip up like white suit and booties. Like it is not, you are not attractive. You look like a steak puff marshmallow. What went wrong? But I still love it.
Like, I can't imagine not working in this industry, right? Like, I can't imagine not being here. And the fact that I get to sit on podcasts like this and talk to people like you, it's just so much fun. I have such a great time here. Hey, listeners, we'll take a quick break, but don't go anywhere. Just a reminder to check out our website for all things Bites and Bites.
Blog posts, additional content, and of course, our merch shop. If you're enjoying the show, hit that subscribe button to never miss an episode. I appreciate all of you who share the podcast with your network. It really does help the show grow and bring more great content to you. We'll be back in a few minutes with more of my conversation with Erin.
Well, and there's so many, again, we mentioned it, but there's 17 critical infrastructures. And the reason that they've been categorized as critical is because they're critical to human condition as Americans in our country. And if any one of those go down, it is going to impact our lives. All of our lives, not just yours, not just mine, but everyone's.
Like if the power goes down, you can't pump gas. You don't get water. You don't like everything tumbles down.
If you go on a hospital, forget the hospital.
Don't even bother going. So the reason these things are critical is because really smart people sat in a room and they said, hey, what are the things that if they go down are going to impact society? Like the bigger society. So there's 17 of us. And I would argue, and I've worked in many of them, not all of them, but many of them.
And I would say almost all of them, at least the ones that I've been in, underfunded, people don't understand the risk, including the asset owners. And they don't have the right people and processes. And unfortunately, cyber is not... designed and engineered into the system. And it's an afterthought.
And unfortunately, usually an afterthought after something bad happens, like the example you just gave about the peanut, right? So they start looking at these systems when there's an attack, when there's a breakdown of physical or cyber incident. And then they have to because the spotlight is on them and they're required to. And then everybody else may be hopefully around them that are similar.
Say, oh, it happened to them. It could happen to us. We should we should look at that, too. Or there's regulation that comes down. So unfortunately, that's where we sit a lot of times in this industry. And it's not because the companies are bad companies. These are some of the best people I've ever worked with. They want to do the right thing, but they are strung behind.
They can only do what makes them money. And unfortunately, cyber and all this stuff is not a revenue center. We're not creating revenue value. My power plant's not more efficient. I don't create more wheat because I put in cybersecurity. It's more almost like an insurance policy. And nobody likes paying for insurance. It's just like this, ugh.
It's a return on investment, right? You've got to value your property, if you will, or your IP or whatever you want to call it. If you don't, then running into this constant recovery mode that we're stuck in. On repeat, we are on repeat in recovery mode. We need to get out of recovery mode and start focusing on being resilient because it's going to happen.
happen and there are cost-effective ways to get around it but again it's not the sexy stuff it's the people stuff right and nobody wants to talk about people because we're hard and maybe that's part of the reason why food and ag and even water kind of got left to the side is because people are hard and maybe that's part of it also the people who came to the table first were oil and gas sure i mean they have a stronger lobby but most of the countries that are out there also have their critical infrastructure and food and ag was put on there's the first bit so i don't
And we have so many examples. And I know I don't want to be heavy like nation state poo-poo here, but here we are. We already have examples of how this is happening. Destabilize a country. They will do that through electricity and food. Because they want you to freeze to death in the winter and they want you to starve. It's basic warfare, right? That scares me. We already have examples.
Ukraine is a great one. Not a great one for a good reason, but it's a great example of this for happening. And it's so frustrating to me that we still haven't realized this. I have a good friend of mine who is a agricultural futurist. He's a strategist. He does focus on cybersecurity as well. And he asked me, deadpan one day, have I ever starved? Or how was the longest I went without food?
I'm like, I don't know, 48 hours, maybe because of a flight situation or something like that. And he goes, you know, he's like, I tried an experiment for 10 days. And he's like, I didn't make it that far. He goes, it made me realize how many hours or days would it take you to commit a crime? You had to feed your family and there was no food. Yeah.
And I thought, I don't know, probably some people will make a couple hours. He goes, if he said the average is something like eight hours. And I was like, that's chaos. That's chaos in the street, literally. And everybody would feel it the same way. I can't imagine specifically the United States being in that type of chaos. The amount of guns we have in this country, for example.
I just think that that is, this would be apocalyptic, right? We haven't completely focused dead on to how we're going to deal with the supply chain. Yikes. And also we're growing so much food for animals rather than human consumption. And I'm not saying that's bad because we still have to feed animals.
The one thing I'll say on that is you look back and we do have a couple of examples of that in America. And you go back to Katrina when we had the hurricane that came through in New Orleans. And we saw martial law in two or three days and people that were committing crimes and going at gunpoint. And these are not bad people. These are everyday people like you and me that are dying.
desperate because their family is starving. Their baby is starving. They don't have food. They don't have water. They don't have a way to evacuate. There were basic needs in our country. And that was with FEMA and with the National Guard and the amount of public services that we have. And it was one small area. Imagine that on a large scale. Imagine that across our country.
When we can't just, you know, rally the troops from all over their country to this one geographical area. Imagine if that was on the East Coast, in the center and on the West Coast all at the same time. It would be we wouldn't even recover as well as we did at Katrina. And we all agree that we didn't recover well then. Like it was really not our best time.
No, I mean, look how the other disasters that have happened, whether it's the train accident or Flint, Michigan. Yep. They still have fallout because priorities shift. This is why it's so important for OT to continually beat the drum of this is a problem. This is where it needs to be fixed. If you aren't willing to fix it, you now have to accept the risk that this could potentially happen.
And by the way, I'm not going to turn around and tell you I told you so. I'm just going to hear your report so you know. Sure. And I'm here if you need me kind of thing. Like, that's it. It's all we can do. But the fact that we have to sit on this type of knowledge all the time and go to sleep at night gets a little frustrating sometimes.
And this is why I think as a community in OT, the fact that we all support each other so well and kind of uplift and kind of have that therapy moment, if I even want to use that term.
um when we're together is so important because i have sat there and listened to tales and i know you have too of just stuff that's going on and obviously that we're being very respectful we don't talk about where it's happening or what's going on to have someone tell me that story and then you could see the weight lift off of them but now it's on you because you now know but like but the fact that like we can come together as a community like that i just wish the rest of the cyber community would do that right let's rally behind each other instead of just being jerks
That would be great. And like I said, I adore this community in general. And I love that we fit so well into the companies and the places that we serve because we're just as geeky as they are for what they do. And like I said, we all love to eat, so it should be a no-brainer there.
I realize that all of us have different relationships with food based on your body and different things in your life, but we all do like to eat and we identify with food from where we're from.
Yep.
It's part of a cultural experience. We celebrate with cake. We, we say goodbye with cake, right? Cake is kind of the thing. We also have, you know, our favorite food memories. I talk about this on my podcast all the time. What's your favorite food and your favorite food memory? What is your favorite food and your favorite food memory? I,
have so many because my family, I grew up in Texas and a lot of our celebration, all of our celebrations are really around food. My grandmother making food and whether it's fried chicken or whatever it is, I remember my grandfather having these big mounds. He was a very, very skinny person, grew up very poor. But as an adult, he just loved to eat. So it was always just this big mound of food.
We had more food than we could ever eat in a lifetime. Every time we got together, it was always around food. And that's the way The irony of what you just said, right, is that food memory. We all have those food memories. Now, maybe the food that we bring is different because of where I grew up or where you grew up or what country you're from or whatever.
But I think we all tie back to breaking bread together, right? And some of the best relationships, the best nights out at wherever, when I go out with my wife, the best meals that we've ever had. I think they would not be quite as good if they weren't with her. It's the company that you're with.
Yes, the food's great, but if you have great food and horrible companionship, all those things are linked together. So it's not going to be that great and memorable of a meal, but if you're with great
the people that you're with are amazing, the food can be mediocre and it's gonna be the most memorable time that you have and you're gonna be like, oh yeah, we had this and it was a really good burger or cake or whatever the thing is because you're there together.
It's part of human nature that we have all of these things and that we tie it all around the campfire and cooking and eating food together. It goes back to the beginning of time.
It's also identifier, right? I mean, you say you're from Texas, so Tex-Mex. We all kind of know what that is in this country. People who live in other countries, because I do have a lot of listeners around the world, you probably had some variation of it in your own country because sometimes other countries do it better than us. Right.
You know, and I've had some of the best curry of my life in Japan, not Japanese curry, but Indian curry because they do it really well. You know, the UK has its own version of curry. I think that it's interesting how much that blends, right? Because my fiance is British. We do curry on Friday nights, just an example. And curry wasn't something that I grew up with. I grew up in New England.
We eat basic, boring food. No offense. If my mom's listening, I love you. But it's one of those things where I wasn't used to that. But now it's blended into my culture and my reality, right? And I love how food brings you together like that. Try something new. experience something different, but also have the nostalgia of things you remember. And I remember family cookouts too.
I mean, we did some weird things with salads and jello and I don't know what was going on. The 80s and the 90s were kind of complicated. Or with like mayonnaise and like, anyways.
Margarine, a lot of margarine.
Yeah. What was the Cool Whip?
Oh, yes. Too much.
Too much. Yes. But these are brand names that we remember and they're still on the market. You can still get them and they're very clearly there. I mean, I don't know if I'd have it now, but I'm in a different state in my life. But, you know, it's fun for kids, you know.
But even today, like my kid wins, you know, gets a trophy or whatever. We're celebrating with food. Like, let's get you ice cream. Let's celebrate with ice cream. Let's get you a cookie, like all those types of things. And we try not to go too much because, you know, we don't want them to be unhealthy. But at the same time, it's fun. It's memorable. They enjoy it.
Like we we get joy from this food and we take it for granted, especially in America, where we have unlimited amounts of food. If I want anything, I go to the grocery store and they have anything I want. You like curry, you know, Sushi, like you can literally go to your grocery store and get sushi. Is it the best? No, but it's pretty darn good.
Comparatively speaking, think about 200 years ago trying to get sushi in the middle of the country. Like it wouldn't have happened.
I mean, you could probably cut open a freshwater fish and try to sashimi yourself into it, but I don't know about that. But I think it's also changed my perspective on food. When you have it in an authentic space, like I've had the privilege of going to Japan several times for work and I can't eat sushi in the States anymore. It's been erected for me. It's sort of like...
I can't drink Guinness in the States. I really only want an Ireland or the UK. Like certain things have changed, but then you wait for that moment and you have it and you're like, yeah, it's like, and it becomes this whole awesome thing.
And if I think about the fact that we have all these issues globally, some of this food that we love and we talk about may not be available to the next generation or the generation after that, because we made bad choices. Yeah. you know? And also the idea that a cyber attack threatened people's lives through food. I can't really think of anything even worse than that. Right.
Honestly, it's an intimate attack. It's not just like, Oh, we're going after finances and dah, dah, dah, dah. No, no, no. That's to destroy people. Like that is, that keeps me up at night. Not every night, but there's some nights where like, Oh my God, like we're just like a hairpin from it sometimes. And it's,
I don't want people to know that because I do have professional and friends that have lost children to E. coli poisoning and other different poisonings. And to tell a parent that their child is passing because of a burger that was contaminated, I mean, that makes me want to burn a house down. Like, that's not the answer. Not that I'm an arsonist because I'm a firefighter family.
However, I will say it does make me very angry. And my anger doesn't matter, right? Because at the end of the day, I can only do what I can do. I want more people to understand that, especially in the OT space, we are doing things that safeguard lives on a whole other level than we expected to in our career. I certainly didn't think this was going to happen in my career. No. No.
be like putting someone was like oh you're putting a cape on every day and like a superhero and i was like i don't know if i want to go that far but um if it helps you with the visualization of what i do that's fine but i don't want to put myself on that level this isn't a pedestal moment because we are a team like ot works as a team we really believe that we are in supporting each other
100%. Honestly, I think we should all put on the cape, right? I think it's everybody's duty to do your part in whatever small way that is, right? The people part of that is we all have a calling to do something and each person's little contribution in stopping and saying things and raising your hand and not just, oh, well, he's smarter than me. He's been here longer than me.
I'm not going to say anything. No, raise your hand, like voice that concern, bring that thing up, you know, bring, you know, push that agenda or idea ahead because it matters. In the grand scheme of things, it takes us all to challenge, you know, evil prevails when good men do nothing, right? It's really that simple of we have to stand up and say, no, that's not okay.
Like we have to stand up, even when nobody else in the room is going to agree with you. I don't care. Stand up and say it.
and be curious start asking questions like oh really is that ot like i wasn't going to actually ask me that like oh do you think that's ot i'm like yeah it's connected to the internet and whatever it's you know and i want that question be curious to the point of annoyance we don't mind we really don't and we want you to ask questions and we also want to ask questions that's what we do because we are constantly evaluating everything it was funny um when crowd strike hit as an example first of all my heart went out to anybody with it obviously but
but it didn't surprise neither myself or my fiance because both of us are in security. So in OT specifically, and it was just one of those like, you know, like this is not good. However, hopefully it's a lesson learned moment where you can't just have one thing holding the pillar up out of all of it. You need to actually have a better look at it.
And I hope that the people that were affected are taking a long hungered look of what they have in their environment. Now, what else could be critical and concerning?
Yep. And my biggest concern with the whole CrowdStrike issue is that I think from what I've seen, I think a lot, and from my experience, a lot of these folks are going to be pointing the finger at CrowdStrike as a company and looking at, hey, this is what you did wrong.
And I'm not saying there is no blame because in this, it's just like, you know, anything there's blame, there's plenty of blame to go around, but that's not going to solve anything. It At the end of the day, yes, there was a misconfiguration. They pushed out something.
But ultimately, the bigger problem was, is that these companies just randomly pushed it across their entire organization without testing. Like in an OT environment, especially in a power plant environment or any of these critical infrastructure, I would never just blind. I don't care if it's been tested 50 times before.
I'm going to push it to one system, make sure that it comes back up, and then I'll push it to a second one and make sure that one comes back up. And then I'll push it to a third one. It's a pain in the butt and it takes longer.
It's crazy.
But it's what I'm going to do because I've seen the bad side of this for the past 20 years. This is not the first time I've gotten a blue screen because of an update. So I'm not going to get burned by that again. It won't be the last time either. It won't. And it's not CrowdStrike's fault.
Like, yes, this incident, it was caused by CrowdStrike, but it's not the bigger picture of the root cause analysis. If I did a root cause analysis on this, the issue, yes, that was the trigger, but that is not the root cause of the problem that caused this bigger issue.
It's people and process. Exactly. It really is. And actually, when the event happened, I messaged a good friend of mine, my best friend, actually, who works in a cheese company in Wisconsin. Insert laughter. But I asked, I said, I know you guys have CrowdStrike. Like, are you guys all right? He goes, well, actually, we happened overnight. We were able to pull some backup systems.
We're able to roll it back. So it didn't affect our production. It just affected like a sanitation shift. Thankfully, the food industry was okay, which is good from the small sampling I did in my life. But I was glad to hear that they focused on resilience more than recovery. And I was like, yes, like we're getting there slowly. I don't care if it was five people I knew, but it was good.
But as OT professionals, I can't even tell you when you read an article or have a conversation with somebody and they're like, oh yeah, it's about legacy systems that aren't patched. Is it? I mean, what? There are systems inside some of these factories that I've worked in, I know you've seen this too, that are probably like 40 years old, probably running a 98 second edition rocking it, right?
98 second edition is a solid operating system if it's still up. I'm sorry. We all know you don't touch the dust. You don't touch anything on it because it's probably holding it up by a thread, which isn't good because you don't want that either. But there's ways around dealing with that that you don't have to operate.
because upgrading a system like that is probably running one process that comes up once a quarter. It's gonna be millions of dollars. Probably the entire budget for a year for a company, right? The trick is, it's just making sure that you segment it and you know it exists. And making sure you watch it, like just watch it. It doesn't have to be anything more than that.
It doesn't have to be the big fancy, everything around it and all these bells and whistles. I mean, if you could afford all that, that's cool. But do you need all that? Somebody once said on a podcast of mine, not that long back, do you actually need that tech? Are you okay without that tech? Specifically talking about farming.
And I was like, that's a really great question because you actually need it. If everything's working okay and you're okay and everything else around it is okay, why do you need to bring that in? And he goes, isn't that just another risk attack factor? And I was like, this is a brilliant conversation. I love this. Because it's true.
That's how I think about it in a lot of these industrial environments. Do you actually need that? Do you need to be able to sit on your couch at night and monitor the temperature of your vat? I mean, if you do, tell me. That's fine. But do you really need it? Because you have a 24 by 7 plant. if it's got a practical reuse, that's brilliant. We'll do it.
But if it's anything crazy, let's rethink it. I think we need to have that conversation more in the industry, especially in food. Cause we automate, we add all these really cool things and we do all this stuff and it's awesome. And now we have like Chick-fil-A mobile delivery units in Georgia. I don't know if you've seen them. They're kind of creepy. It's
it's literally like a little bike that drives up to your house and it's all automated and it's insane wow and and i'm just like i don't know i don't know if we've gone too far yeah like maybe we should roll that back
Well, I'll give I'll give a last story here. And it's very similar to that. You know, working in these places, operators have we do what's called operator rounds where they walk around with some kind of handheld. It could be a piece of paper or whatever. In this particular area, it was a it was a power plant and they were that we had RFID tags on equipment. So they would.
The operator would walk up and they would scan the RFID tag and it would pull up the operator round portion and it would be a valve or a gauge or something. And they would, you know, put in readings, you know, temperature, pressure, you know, vibration. They put hands on it. They talk about if there's anything, any oil leaking or if it's dirty or whatever the thing is for that.
And it could be, you know, 10 steps long or it could be 100 steps and it could take them all around the facility. And we started noticing as we were doing reviews of the operator round and the data, it just, the data didn't make sense. And we were trying to get better information to do tuning and all that kind of stuff. And it just didn't make sense.
And sometimes the numbers were like way off, like temperature would be 9 million. Like, yeah, I don't think so. So is that an error? Is that an operator error? Are they entering it wrong? Is a key sticking? Like what is going on there? So as I'm walking it and I'm doing this.
And so I've got this guy and we're doing around and we're walking and he's scanning and we're going through it and everything looks fine. And then at lunchtime, we go in the break room where all the operators hang out and they're in there playing dominoes. And as they're playing dominoes, one of the guys, he's like, oh, hang on.
And he leans back in his chair and right behind him, he's got the handheld in his hand. He leans back in his chair and he scans an RFID tag that's sitting on the wall. And he does something on his thing and he goes back to playing dominoes. And I was like, what did you just do? He's like, Oh man, I got to do a round right now, but I'm in the middle of the game.
I'm like, okay, what'd you just scan? He goes, oh, I made a copy of all the RFID tags that are out in the field. And I just scan them right here and I can do it right here from the lunchroom. So they had gone out of their way, gotten blank RFID tags, went through all the rounds and duplicated every RFID tag. And he knew how long it took him to get from one to the next.
And he was just randomly scanning them and putting in fake data.
Oh, okay.
i mean so so it goes back to your point of sometimes you don't need the rfid tag and the fancy thing to make it more efficient and know exactly when they're scanning sometimes you just need somebody to watch over and say hey that's not a good idea and those things had been there for a long time and nobody noticed nobody saw saw somebody it took me five minutes like i was in there for half a day and
And I saw him scanning in the lunchroom and it was very obvious, but nobody ever checked. It's not the guy was a bad guy. He was just, everybody else had done it. He thought it was okay. He didn't understand. And it really came back to a people problem. And it wasn't that this was a bad person. He didn't understand the value of the round.
So when we started digging into it, it was like, dude, we've been putting fraudulent data in here forever because the system is broken and nobody says anything. So obviously you guys are not getting value from this. So it's a waste of our time. And that's really what it came down to is they thought it was a waste of time.
So why am I going to go walk out there for something you're not looking at anyways? I'm going to stay here and play my dominoes. And he wasn't wrong. And we were trying to fix the problem.
And the ultimate problem was explaining and fixing it so that we were looking at the value instead of just having them do medial tasks to make sure they weren't being lazy, which is what originally I think the thing was put in for. And it completely broke it and it blew it up. And we changed the policy all throughout the company because of that one incident that we found.
And he didn't get in trouble. In fact, I thanked him for letting me see it. And I asked for his help to help me build a better process that they would be part of and want to make it better.
See, this is why you got to go back and talk to the people because...
they'll find the exploits for you you know and they'll tell you and he didn't do anything inherently wrong no it just it seems a little shady of course when you describe it you're like oh my goodness but um but at the same time like first of all good on them for exploiting a system like was causing a problem for them and also if you don't work with the environment you're in it's never going to work i remember i didn't this is something i learned on the job did you know that wi-fi signal does not go through bags of flour
Makes sense.
Yeah, it does. But I never made the connection because I've dealt with it before. And I found a maintenance manager who had no cybersecurity background or IT background on a scissor lift moving an access point because they couldn't get signal to pick the orders on their little forklifts.
So he was up there and I just happened to be in the factory that day walking to the floor to get to the production area. And I caught him and we had a fight right on the floor, not physically, just, you know, verbal altercation of you're an idiot, you're an idiot kind of thing and back and forth.
And then my response was, why didn't you do a heat map scan for the Wi-Fi when you had a full warehouse? And he goes, because we're busy. And I was like, OK, then you need there needs to be some give and take here. Let's have a conversation. I got somebody in to do it right after I'm able to kind of like readjust a little bit. But oh, man, like exactly.
People are going to do whatever they have to do to get either play dominoes or get orders picked.
Exactly. Exactly. Having conversations like this. I love having conversations with people no matter what their experience level. If you're a student or, you know, you've been doing this for 30 years, there's always something to learn and great conversations to have. And that's why you and I do this. Like we want to spread this knowledge, not pretend that we know it all. We never I never claim it.
I've never heard you claim it. Like, no. Yeah. We just enjoy having these conversations and using our experience for good to hopefully make a difference and leave the space in a better place than where we started out.
That's right. That's exactly what it is. Absolutely.
Well, thanks again. It was a great conversation. I really appreciate it.
Great. Anytime. Thank you so much for listening to today's episode of the Bites and Bites podcast, which is produced in collaboration with the Protect It All podcast. A big thank you to Aaron for sharing his experience and his humor. Don't forget to like, follow, and share this episode. Also, if you haven't already subscribed to Aaron's podcast, please ensure you do so.
And remember, from August 1st to October 1st, vote for Bites and Bites podcast for the Women in Podcasting Awards. Link is in the bio and on the website. Also check out the show notes for links to today's conversation and hop on over to our website for even more details on today's episode and more. Stay safe, stay curious, and we'll see you on the next one. Bye for now.