Aaron Crow

There is no product I can grab off the shelf that's going to take away all the risk if I install it in an OT environment. I wish there were, but there's not. There's just not.

There is no product I can grab off the shelf that's going to take away all the risk if I install it in an OT environment. I wish there were, but there's not. There's just not.

We have droughts, global warming, fun times. Well, a friend of mine is I won't name the name, but a friend of mine works at a social media company with a very large data center. There's there's there's quite a few of them. It doesn't matter which one it is, but they have millions of PLC's millions.

We have droughts, global warming, fun times. Well, a friend of mine is I won't name the name, but a friend of mine works at a social media company with a very large data center. There's there's there's quite a few of them. It doesn't matter which one it is, but they have millions of PLC's millions.

controlling all sorts of things from temperature to pressures to, you know, lights and air conditioning and valve. Like there's so much there's halon systems and all these different things. Buildings have OT like any skyscraper, even not even a skyscraper, just a normal building you walk into. There's controls around sprinkler systems and all these different things. OT is everywhere.

controlling all sorts of things from temperature to pressures to, you know, lights and air conditioning and valve. Like there's so much there's halon systems and all these different things. Buildings have OT like any skyscraper, even not even a skyscraper, just a normal building you walk into. There's controls around sprinkler systems and all these different things. OT is everywhere.

We just didn't always classify as such. Like it's a new term, relatively new term. It's been around forever. We've been doing automation since the fifties. and before really, but automation has been around. We've just started putting the technology side and putting IP addresses on it.

We just didn't always classify as such. Like it's a new term, relatively new term. It's been around forever. We've been doing automation since the fifties. and before really, but automation has been around. We've just started putting the technology side and putting IP addresses on it.

So we brought these other risks into this space, but the OT's been here for, I mean, my dad worked in power utility for 40 something years. He's in his mid seventies now. He's been doing this this whole time. He was never cyber related. It was always control systems and control engineer and automation and instrumentation and even continuing emissions monitoring as that came in to be a thing.

So we brought these other risks into this space, but the OT's been here for, I mean, my dad worked in power utility for 40 something years. He's in his mid seventies now. He's been doing this this whole time. He was never cyber related. It was always control systems and control engineer and automation and instrumentation and even continuing emissions monitoring as that came in to be a thing.

But all of these things have been around for decades. We're just solving new problems to old, adding new problems to existing and older problems.

But all of these things have been around for decades. We're just solving new problems to old, adding new problems to existing and older problems.

Absolutely. And the talk I gave it at DEF CON actually in the ICS Village was about cyber informed engineering, which came out of a term came out of Idaho National Labs, which is a DOE sponsored laboratory. And the whole concept around it is we need to build cyber as part of the overall system. and integrate that when I'm designing the system, cyber needs to be considered, right?

Absolutely. And the talk I gave it at DEF CON actually in the ICS Village was about cyber informed engineering, which came out of a term came out of Idaho National Labs, which is a DOE sponsored laboratory. And the whole concept around it is we need to build cyber as part of the overall system. and integrate that when I'm designing the system, cyber needs to be considered, right?

We've got old equipment, we've got legacy equipment, we've got new equipment. Anywhere in there, we need to be considering cyber as a risk and as a part of our remediation. How are we going to recover?

We've got old equipment, we've got legacy equipment, we've got new equipment. Anywhere in there, we need to be considering cyber as a risk and as a part of our remediation. How are we going to recover?

When we say cyber, people that are outside of this or even people at DEFCON and Black Hat, when I had this conversation, they immediately think, well, I'm a nation state, North Korea, China, whatever. It doesn't necessarily mean that. It can be simple ransomware. It can be misconfigured hardware. It can be an insider threat.

When we say cyber, people that are outside of this or even people at DEFCON and Black Hat, when I had this conversation, they immediately think, well, I'm a nation state, North Korea, China, whatever. It doesn't necessarily mean that. It can be simple ransomware. It can be misconfigured hardware. It can be an insider threat.

There's a lot of things, and it's not always bad actors from another country that are trying to attack us and start World War III. Some of them are, but not all of them.

There's a lot of things, and it's not always bad actors from another country that are trying to attack us and start World War III. Some of them are, but not all of them.