Aaron Crow

Awesome. Hey, thank you for joining me. Kristen, why don't you introduce yourself? Tell us who you are and what it is that you do.

Awesome. Hey, thank you for joining me. Kristen, why don't you introduce yourself? Tell us who you are and what it is that you do.

Very cool. Well, and for your listeners that maybe don't know me, my name is Aaron Crow. I've been in cybersecurity and network security and this OT thing before it was ever called that. I grew up in working in critical manufacturing, power utility, a lot of those critical infrastructures. I actually do have some experience in the ag side as well. I'm from Texas.

Very cool. Well, and for your listeners that maybe don't know me, my name is Aaron Crow. I've been in cybersecurity and network security and this OT thing before it was ever called that. I grew up in working in critical manufacturing, power utility, a lot of those critical infrastructures. I actually do have some experience in the ag side as well. I'm from Texas.

So, you know, there's a lot of plants and things like that in this space from chicken plants and a lot of, you know, ranchers, et cetera. Right. So, you know, I've I also have a podcast, Protect It All, and emphasizing OT and IT. I do emphasize a lot of that in the OT space. But as we talk about this stuff, I had this conversation. This is, what, the 14th of August when we're recording this.

So, you know, there's a lot of plants and things like that in this space from chicken plants and a lot of, you know, ranchers, et cetera. Right. So, you know, I've I also have a podcast, Protect It All, and emphasizing OT and IT. I do emphasize a lot of that in the OT space. But as we talk about this stuff, I had this conversation. This is, what, the 14th of August when we're recording this.

And I just came back from Black Hat and DEF CON. And I had so many questions and I work in the ICS Village. I'm a volunteer in the ICS Village, which is a nonprofit. If you don't know about that, definitely check it out. ICS Village is great. They do a lot of training and nonprofit things to kind of spread the word for operational technology and the importance of it.

And I just came back from Black Hat and DEF CON. And I had so many questions and I work in the ICS Village. I'm a volunteer in the ICS Village, which is a nonprofit. If you don't know about that, definitely check it out. ICS Village is great. They do a lot of training and nonprofit things to kind of spread the word for operational technology and the importance of it.

But a lot of the conversations I was having at DEF CON, I've got this really cool blinky light OT wall that's got a PLC and secure mode access and a firewall. And it's really just a conversation piece to help people understand and I got so many people, this is 2024. And there's so many people that came up to me and were like, what is this? So I said, oh, well, this is OT in a box. What's OT?

But a lot of the conversations I was having at DEF CON, I've got this really cool blinky light OT wall that's got a PLC and secure mode access and a firewall. And it's really just a conversation piece to help people understand and I got so many people, this is 2024. And there's so many people that came up to me and were like, what is this? So I said, oh, well, this is OT in a box. What's OT?

And I'm like, oh, okay. Like we still, many of them, and I love the question. Like I'm very glad that they said, I don't know what that is. Like, or some of them were like, I've heard of it. I don't exactly know what it is. So it was great to just be able to have that conversation, explain it. And there was one gentleman that he was going for his PhD, his dissertation.

And I'm like, oh, okay. Like we still, many of them, and I love the question. Like I'm very glad that they said, I don't know what that is. Like, or some of them were like, I've heard of it. I don't exactly know what it is. So it was great to just be able to have that conversation, explain it. And there was one gentleman that he was going for his PhD, his dissertation.

And he was he was writing this dissertation from an IT OT convergence. We hear that all the time. I know my face did the same thing when he said it. And we had this conversation. He's like, well, I think OT and IT have already converged. And I'm like, really? Like, explain that to me. He's like, well, the technology is the same. OK. I'm like, he goes, it all OT now all has IP.

And he was he was writing this dissertation from an IT OT convergence. We hear that all the time. I know my face did the same thing when he said it. And we had this conversation. He's like, well, I think OT and IT have already converged. And I'm like, really? Like, explain that to me. He's like, well, the technology is the same. OK. I'm like, he goes, it all OT now all has IP.

So that means it's IT. And I'm like, oh, no, no. So I had a 30 minute conversation with this gentleman about why I feel that OT is different than IT. The technology is the same. Like we see VMware and network servers and switches and all that kind of stuff that we have seen in IT now in OT. But the difference is, is what we do with it and what it impacts, right? And the implementation of policies.

So that means it's IT. And I'm like, oh, no, no. So I had a 30 minute conversation with this gentleman about why I feel that OT is different than IT. The technology is the same. Like we see VMware and network servers and switches and all that kind of stuff that we have seen in IT now in OT. But the difference is, is what we do with it and what it impacts, right? And the implementation of policies.

I can't just take an IT policy and push it into OT because it breaks stuff. It just doesn't work. And we've seen that and it doesn't matter the vertical. You're in agriculture, in power utility, in oil and gas, in wastewater. It doesn't work to push it down in that way because it breaks stuff. And it's just a different way. Like we just saw this CrowdStrike.

I can't just take an IT policy and push it into OT because it breaks stuff. It just doesn't work. And we've seen that and it doesn't matter the vertical. You're in agriculture, in power utility, in oil and gas, in wastewater. It doesn't work to push it down in that way because it breaks stuff. And it's just a different way. Like we just saw this CrowdStrike.

I talked about the CrowdStrike incident a thousand times this week. That's a great example of I should not be patching or pushing updates to my OT systems. Just, hey, send it all. I should be sending to one at a time so that I can test and make sure like, We should all have a testing plan. And it's not a CrowdStrike issue. It's a policy.

I talked about the CrowdStrike incident a thousand times this week. That's a great example of I should not be patching or pushing updates to my OT systems. Just, hey, send it all. I should be sending to one at a time so that I can test and make sure like, We should all have a testing plan. And it's not a CrowdStrike issue. It's a policy.