In this episode of Modern Cyber, Jeremy sits down with Kristin Demoranville, founder and CEO of AnzenSage and co-founder of AnzenOT, to explore the unique challenges of securing operational technology (OT) in industries like food production, agriculture, and manufacturing.
In this episode of Modern Cyber, Jeremy sits down with Kristin Demoranville, founder and CEO of AnzenSage and co-founder of AnzenOT, to explore the unique challenges of securing operational technology (OT) in industries like food production, agriculture, and manufacturing. They discuss the complexities of OT security, the importance of segmentation and asset management, and the critical need for empathy and resilience in cybersecurity. Kristin also shares fascinating insights from her past research on gorilla behavior and how it informs her security strategies today.
About Kristin Demoranville
Kristin Demoranville is a seasoned cybersecurity and risk management expert with 26 years of experience in the tech industry. She is the founder and CEO of AnzenSage, a firm dedicated to cybersecurity solutions in the food and agricultural sectors, and co-founder of AnzenOT, an innovative SaaS OT Cybersecurity Risk Intelligence solution. Kristin holds a degree in environmental management, and her studies included researching gorilla behavior, which brought a unique perspective to her work. She excels in crafting and implementing risk cybersecurity strategies, particularly within OT/ICS environments. As the host of the Bites & Bytes Podcast, Kristin drives meaningful conversations at the intersection of food, technology, and cybersecurity.
AnzenOT Website - https://www.anzenot.com/
AnzenSage Website -https://www.anzensage.com/
Kristin on Linkedin - https://www.linkedin.com/in/demoranvillekristin/
Bites & Bytes Podcast - https://www.bitesandbytespodcast.com/episodes
Alright. Welcome back to another episode of Modern Cyber. As usual, I am your host, Jeremy. And we have a conversation today that I promise you touches your life every day. And it's not often that we can actually say that here on Modern Cyber.
We talk to guests from a whole range of industries, technology platforms, different vendors, different customers, etcetera. But today's conversation will focus on use cases around OT, around food safety, around the security of supply chains, and all these things. And for that conversation, I'm delighted to be joined today by somebody who knows a heck of a lot more than I do about this because I know pretty much next to nothing. I know that these things exist. I know they're super important, but I don't honestly know quote unquote how the sausage is made.
So for today's conversation, I am thrilled to be joined by Kristin Demoranville, a seasoned cybersecurity and risk management expert with twenty six years of experience in the tech industry. She is the founder and CEO of AnzenSage, a firm dedicated to cybersecurity solutions in the food and agricultural sectors. Super important. She's also the cofounder of AnzenOT, an innovative SaaS OT cybersecurity risk intelligence solution. We're gonna talk both about both of those companies, about both of those topics, and much, much more with Kristen.
Kristen holds a degree in environmental management, and her studies included researching gorilla behavior, which brought a unique perspective to her work. She excels in crafting and implementing risks risk security strategies, particularly within the OT ICS environment, and she's also the host of the Bytes and Bytes podcast. We'll get the spelling and the links to that in the show notes. So if it's confusing enough for you right now, don't worry. There will be links towards the end of today's conversation.
Kristen, thank you so much for taking the time to join us today on Modern Cyber. Absolute pleasure to be here. Thank you for having me. Awesome. Awesome.
Well, just to dive in, you know, I think a lot of people will have heard the terms OT and ICS previously, but maybe just as a a kind of an introduction to today's conversation, how do you define those? What do they mean? Sure. Actually, you'd be surprised people really don't know. They interact with it every day, and they don't even know.
And it's it's fine. We don't need everybody to know because then they probably start doing things to it. Operational technology or industrial control security or systems is how our modern world runs, ultimately. Yep. And anything from an elevator to a car to, what you think of the big industrial things like oil refineries and water treatment facilities, equipment generators.
Exactly. It could be as simple as an IoT device in a hospital. It could be the pacemaker in someone you love. It could be anything like that is considered operational technology or, like, ICS or IoT or industrial IoT. I know some people are gonna fight me on the medical devices, but the medical devices are made by OT.
So I'm gonna say it's sort of still in the wear the wheelhouse. But it even goes even further than that. It's about tractors, and it's about food production and production lines. It's about different equipment that transports via refrigeration. It's those kind of things too.
It's not just, you know, bridges and dams Yeah. And other things like that. It's literally how we get our food and how we make our food every day. Yeah. Yeah.
I I'm super curious. You know, a lot of the guests on our show, one of the first questions I always ask them is, like, how did you get into this? What's your journey been? Actually, it's not been straight at all. It's definitely been serpentine.
I think a lot of people say that in cybersecurity. What I think they do still to this day. But, my journey actually started in a lot of IT and break fix and, customer support and troubleshooting and learning how to deal with people's behaviors and trying to manage that too. Eventually ended up in a bakery company. Okay.
And I was doing OT and, and IoT and I and and all different kinds of other things while I was there. I didn't make the connection in my mind that I was actually doing OT because I was in IT department because a lot of these smaller midsize companies don't have their own dedicated OT, or industrial control, anything. So I was doing a lot of OT work and not realizing it, and then all of a sudden, the split happened, and we kind of created these kind of different divisions and people understood. So I now rolled into a security team that was handling OT issues as well. But I was around food.
It was food production. Yeah. Until I learned that anything I touched had to do had ramifications in food safety. It really connected me to the process of the food industry and food systems because it's the most complicated system on the planet that we made as humans. So understanding how it all works and the intricacy of it, it was really important.
And then I I'm more of a manufacturing in that regard now because I've had that experience. So I've wandered through electronics companies and semiconductors, water treatment facilities because I have degree in environmental management like you said. And then I've worked with Zoos and Aquarium, so I have that OT experience as well. So there's a lot of, like, little things that but, honestly, I just needed a job, Jeremy. That's what I needed.
I needed a job. Yeah. And that's how I got into it. So, Yeah. And then moving through different consulting firms, I realized that we needed to have more niche boutique understanding of industry because a lot of people can say that they have, knowledge in different aspects of cybersecurity.
But then all of a sudden, it will turn into, well, do you have any industry experience? Because a lot of the vendors are even telling me now that they're desperate for industry experience because that's what the customers want. They want someone to come in and say, I know your industry, and I'm here to help. The problem with OT is it's very heavy in oil and gas, which is totally okay and should be entirely regulated. So is automotive, but there's no real cybersecurity regulations that fit in food and agriculture.
There are plenty, obviously, in food safety. There's plenty of things, like, around that, and there's a lot of Yeah. World as well as just United States. But in terms of cybersecurity, there's not that connection hasn't clicked yet. So it's hard.
Yeah. There's so much that I wanna get into here, but I wanna start with, like, just a couple of things that that came to mind as you were walking through that journey. First of all, by the way, I I empathize with a lot of what you said is that, like, you know, for all I think many people that I know in the cyberspace, this was not something that, you know, twenty some years ago when I got started, it wasn't really a career. There wasn't much of a career path in cybersecurity. You kind of fell into it along the way as a result of doing other things.
In my case, it was, you know, failed software developer became kind of an IT guy. I did my share of help desk and break fix stuff and I hate printers as a result of that. We all hate printers. Yeah. Seriously.
Right? Like, they're the worst. They are the worst. At the same time, you know, you kind of go through this thing. One of the things that comes to mind though around OT and ICS in particular is, like, when did these systems start becoming technology platforms as opposed to just machines?
Like, when did the software and the controller elements start getting rolled into them? So I think a lot of it happened when all this digital transformation really started to kick in, whether it was for profit or for sustainability or whatever we were talking about at the time. I really saw, and and I'm sure people are gonna clock me for this, but I would say over the last, like, fifteen years, it's really been a huge surge, maybe even twenty. But for the most part, sensors have always been on the line. It wasn't until we started adding the Internet that it became a conversation.
And a lot of these devices, as you probably know, were never meant to be on the Internet. They don't know what it is. They don't understand it. There's the protocols around it are not there. There's devices that connect to the machines that connect to the network.
It's very it can be very tricky. So I think a lot of people in these different types of industries just started connecting these devices because I thought, oh, hey. We can pull data. We can create a data lake. We can, you know, do all these really great things on prem.
We have all these this information. We can start making better decisions. Predictive analytics. I I remember one of the first use cases. Big data.
Right? Right. I remember one of the very first use cases I heard about was, like, oh, predicting when a certain, you know, piece of machinery is going to fail is, like, the killer use case that's gonna save so much time, drive so much efficiency in all of these systems. That's the one that I remember. But I think your point about, like, you know, systems have probably had controllers for a while, but that that that transition point from when it went from individual systems to then systems on a network sending data back is probably, like, that that's a good way to think about dividing the pre and post eras.
Right? Yeah. And I think also a lot of the reason why some of these devices ended up on the Internet as well. It wasn't just to track, like, the efficiency of whatever they were making or whatever they were doing or creating or monitoring. It's about employee safety too.
Right? So if they could, you know, predict or track behaviors in a way that would help keep people safe and comply with OSHA and all these other regulations Yeah. Like, yeah, they're gonna do that. So Yeah. There's a twofold issue here.
It's about production, and then it's about, employee safety. And Yeah. Cybersecurity doesn't fit into either one of those little houses. Goodbye. They don't wanna talk to you.
So it's, it's definitely a journey. I think that we have probably I'm gonna throw it down. We have the best niche in, cybersecurity, OT and ICS. We definitely are a a different breed of people because it's not about data for us. It's about safeguarding lives.
So we have a different mission. We feel that every day. We don't get stuck in the squabbles of regular security and Yeah. Craziness that happens there because we're too busy worrying about if we're gonna have everybody go home that day or Yeah. Anybody's gonna have to have that conversation.
So it's a different kind of feeling. I I love it because of that, and the people that are here are some of the most genuine, good human beings you're ever gonna meet. I mean, first of all, that's very awesome and reassuring to hear. I I wanna push back on a on something that you said there and just kind of, like, not challenge it, but just get your perspective on on a reaction that I had to it as you were saying it. And that is you said, like, you have the best niche within cybersecurity.
I absolutely would not argue with anything you said around the mission of what you're doing because these are generally life sustaining technologies that we all are dependent on every day as as we kind of mentioned in the introduction. But what I what I kind of wonder about is there's part of me that says like, actually in a way you have the worst niche in cybersecurity because you have like this you tend to have disconnected one way systems. There there's a book that one of our advisors wrote called If It's If It's Smart, It's Vulnerable. Mhmm. And, you know, the the I don't know if you've read the book from Mikko Hipponen, the the renowned Finnish cybersecurity researcher, but one of the core arguments of the book is that, like, you know, all these systems that are out in the world, OTICS whatever, whether it's an elevator or food production system or whatever, they tend to be one way systems that send data back, but they sit on a network, and so they are kind of interoperable in a sense.
And they have a BIOS that's preloaded with an operating system and a piece of software that isn't getting ongoing updates. And so when that vulnerability is discovered in that system, it tends to exist in all of the versions of that model that are everywhere around the world, and it's not getting patched. And, you know, there are countless stories of doorbells and, smart refrigerators and other devices that have been, you know, hacked and co opted into botnets and things like that. And so when when you said that, I was like, well, yeah. Okay.
I I can't argue with the mission of what you're saying, but you also have maybe one of the most challenging technology platforms to think about securing. Right? Yep. So I my first thought to that was pot I'm staying positive, and that's how I was gonna view it because we deal with life threatening things that if something does go wrong, there's going to be major consequences. Not just loss of life from that facility, but also it could be an environmental disaster immediately.
So the ability to stay positive through that, and the community does that I think is really admirable. That's why I say it's the best niche. We don't focus on the we don't focus on the problem. We focus on the solutions. We have to be solution focused and resilient focused.
So in that regard, there's my defense with that. However, you're right. There are a lot of systems that are and these embedded systems are very difficult to work with. I just met someone recently who's getting their PhD in embedded systems, and I thought that was the coolest thing I'd ever heard of because we need people to start figuring that out. Do I think that every system needs to be patched in an industrial environment?
Yeah. I I don't think so. I do not think so. I think if you have proper segmentation and you have a good understanding of your asset inventory, no. I don't think so.
However, I think you need to be aware Both of those are super big assumptions, which are, you know, like, as we all know from from our years and decades in the space, like, 90% not true. But fair enough. Sorry. Didn't mean to interrupt. Please continue.
No. You're totally fine. I think a lot of it comes down to understanding your asset inventory and your people and process around it. If you don't have those understandings in that environment, it's gonna be make it very difficult for you to secure anything. You can't even secure probably the access control to enter the building if it's gonna be like that.
So I think a lot of it comes down to how you manage and mitigate risk in those environments. Now if you wanna get down to the nitty gritty of, do you need any antivirus or anything like that on some of those systems? No. I've seen entire production lines be shut down because somebody decided that they need to install an antivirus onto those embedded systems. If you have proper segmentation, if you have a good understanding, if you are monitoring it, I don't see a major issue there.
Now is there gonna be one outlier because somebody is waiting in in the wings, if you will, of a bad actor? Yeah. Of course. There's always those people because we can't seem to stay ahead of them, can we? We don't we all have jobs because people are constantly trying to pick at our systems.
I think it's about perspective. You need to be able to stay resilient through a cyberattack because that's what's gonna happen. At some point Yeah. Somewhere, it's gonna hit your facility. We all know this.
It's not something that we hide from. But how you manage it and how you get through it, like I said, production uptime and safety of employees is paramount. So if you can get through that and limp through that and not have any disasters happen, you'll be alright. You know, it's not gonna be the best thing in the world and will be really uncomfortable. My first breach actually took place in that bakery company that I spoke about.
It It was extremely uncomfortable because it was a holiday weekend, of course, because it always happens then. Thanks, guys. And, it was, really difficult to sit in that room and to deal with that, and I had just been appointed acting CSO. So, like, for me, it was a lot that was a lot on the line right there. Nobody for you never forget your first breach anywhere.
No. But thank thankfully, it didn't actually affect our production system, so I got lucky. It was a very lucky situation. But it was very, frustrating because, ultimately, it was a human error situation. So because of that, again, it goes back to people and process.
A lot of that comes down to, you can have all these sophisticated hackers. You can have all this AI, all this other nonsense, but, ultimately, it's gonna be your people. So, again, it goes back to a lot of that. These embedded systems are difficult to work with only if you let them be. You don't have to be overcomplicate it.
Keep it simple as you can because Yeah. As you and and if you make it simple, it's gonna be able to be dealt with better. And like I said, as long as you have a good understanding of how people were interacting with them Yeah. And why they need to be connected. And do they need to be connected?
And do we really need this new tech? Or are you doing something that you didn't inform me about because we're still just really transforming? Why do we need these things? I think about, like, chicken houses are all digitally, been modified now. You can monitor chicken's health via app from wherever.
And it startles me because nobody's actually been able to tell me if it's a five g repeater that's been put on the chicken house or they're using the Wi Fi from the farm. And I wouldn't be surprised if it was both. And that's what I assume at all times. So to me, it's how are we doing this? Are we doing this in a manner that's going to keep us resilient or are we going to have an issue because somebody made a decision on high and didn't know the full scope of the situation?
So, yes, it's it can be very daunting, but it's also like talking to my father, for example. My dad was a fireman for forty five years. He I've been around industrial control systems since I was a child. And I talked to him the other day. I said, dad, your job is so stressful.
You guys have, like, the heart the highest rate of, like, a lot of mental health. Yeah. You know, heart health, all these other things. And he goes, I wanna trade my job for the world. I loved my job every day.
Yes. It was hard and, you know, there's a lot of personalities and people were difficult. My dad was a lieutenant. That's what he retired on. And it was just one of those things where he said, you know, I wouldn't I can't do anything else.
It's too in me. And that's how I feel about how OT and ICS has become for all of us is we can't imagine not doing this now. Yeah. And and our mental health is is really in question a lot too, but it's not to the extreme of, like, a fireman or a fire person in general or the fire brigade if you have overseas listeners. Right.
Right. I I love that perspective. And I I think that point about resilience and the human resilience aspect of it is something that, you know, really can't be stated enough. We recently had an episode with Sunil Yu where we talked about how some of the upcoming AI stuff is posing a lot of resilience challenges to organizations because, you know, they're integrating new things into critical kind of digital supply chains and much more towards data processes and things like that. But any one of those things can make an application less resilient, but you don't think so much about the human aspect of it.
And we we did have a conversation with another guest not too too long ago where we talked about the fact that, you know, a lot of cybersecurity jobs, like a lot of IT jobs, are the kind of, like, thankless job for 90 whatever percent of the time, hopefully, in the high 90 nines while everything is running fine. And in the the, you know, 1% of or or less of time that things are going bad, they're super high stress and high impact. And the resilience of both the organization and the people involved there is something that is is actually really important in terms of having good results, good responses, good, you know, that plan that you put in place six months ago or whatever, having people able to actually act on that in a rational manner and follow the steps and adjust and improvise properly as things don't go according to plan. Like, that all comes down to the human resilience aspect of it. So it's super important.
I'm I'm really glad you pointed that out. Mhmm. A lot of it is empathy too. I'll throw that in there. You have to be empathetic to the situation and who what's happening and who's happening to because it's not just the equipment that's failing.
It's the people who work around it. Right? Yeah. So that that ability to and you know this from troubleshooting days. Right?
You have to be empathetic empathetic to the user because otherwise, you're not gonna get through it. Same thing of anyone around us. We talk about that a lot in our industry about how you need to be empathetic to the situation and to what's happening in it. Otherwise, it's just gonna make it worse. And when you have life on the line, you have to realize that there's different factors here that people are gonna be concerned about things for different reasons.
So it's just a it shifts the perspective, stays positive. I'm not gonna dwell on, you know, the life threatening aspects of every job and every place I've ever been in because I think I would be really overwhelmed by that. Yeah. And we don't have time for it because we've got to get through it. So Yeah.
I guess that's how I feel got it. Yeah. Yeah. Fair enough. And I I, again, I love that perspective.
You you said something else I wanna unpack a little bit, and and you kinda hinted at some of maybe two of the things, and I'm curious to get a little bit more into the weeds on some of it, which is that, like, okay. So these systems aren't that difficult to deal with, if I heard you right. Something like that, you said. And and, like, you know, two of those aspects are like, hey. Do we have good microsegmentation around our networks and around connectivity and around, let's say, the ability for system a that gets compromised to accidentally talk to system b or what have you.
Right? So and, you know, if we've got that micro segmentation, we've got a reasonable asset inventory that is I don't know. Let's say the name of the equipment, the model of the equipment, the bios version of or whatever it is that goes into that asset inventory that's relevant and important for you. These systems aren't that difficult to deal with. What are some of the other best practices that you've learned over time?
Running the simulations and tabletop exercises Okay. Consistently having some type of a audit. You should have one as much as you need, especially around changes, new projects, new things that are going in and out, or things that are being removed should also run an audit for that. Okay. If you're gonna do any type of digital transformation on any aspect of wherever your facility is, you should definitely have an audit done.
I know everybody's like, oh, no. An audited assessment. It's not like that. You are Okay. You are assessing to make sure you don't have a problem.
You're also assessing to make sure you what you had in place before is okay or if it needs to be adjusted. It's just about change and modification. I charter my people. Sometimes it's like you're going to upgrade your home, you're gonna restylize, you're gonna go from modern to traditional or whatever you're gonna do. It's the same concept.
Right? You're just going to make an evaluation and you're gonna go through the steps to make that upgrade or that change is gonna happen. That audit's super important. So audits, and assessments are good. Also, the simulations and exercises are running.
I would recommend doing them at least once a quarter, and that is get everybody that's going to be affected in that facility. So get a representative from your engineering team, your operators, your production, your wherever your sanitation crew, whatever ends up happening, and get people around the table and and do a simulation of what an attack would look like. This will check your business continuity planning and your disaster recovery, which helps build resilience and team. You build a team. Yeah.
People sort of have understanding. A lot of the feedback I get from the the food production type of the house, so that's food defense, security, and and, safety. They often say to me, I never talk to cybersecurity because they never come talk to us. And I don't really wanna go talk to them because they talk they don't want us. They don't wanna be around us.
And my response package, you work for a food company. Go bring some food to them and talk to them. You have to reach. You have to put the olive branch out. However, though, I will encourage cybersecurity to talk to you because it's all part part.
We're one big team. It's not a silo situation. It's a one team one team, one dream, if you will. And it gets really frustrating. So that actually has a dual purpose that helps build teamwork, but it also shows people, oh, hey.
This is where we're weak. This is we need to work on. This is where we're doing really well. This is something we probably can improve. Do we need to buy this?
Do we need to adjust that? It really is making a difference. And, also, for the love of god, sector specific job role, security awareness training. The training that's given out for compliance every year, as we all know as security professionals, is fine. It checks the box.
Right? Two factor authentication, strong passwords, yada yada. And I'm not saying these aren't important, but you need to have role based training to get people to understand how cybersecurity interacts with their day job and how they can affect it and how they can help mitigate it and also how they can handle risk. A lot of times, people just freeze up when something happens or they'll unplug something and there's no forensic data, so we can't do anything about it. Or there's a complete lack of just a meltdown.
People just completely meltdown. Or they don't say anything because shame is a real problem in our industry. We shamed everybody's shamed. It's awful. Yeah.
I feel like we do a lot of mitigating of shame as well as risk, to be honest. Yeah. So that sector role specific training is super important in my opinion. Yeah. Yeah.
That that shame factor is definitely something that I think is a real problem. And I've seen it on both sides. I've seen it both from the people who are, you know, involved and are responsible for the defenses, but I've I've seen it even more so on, shaming the user who might have accidentally been compromised, whether it's through email phishing, malware, what have you. And I and I think that that is super unproductive because what ends up happening, whether it's either side, but especially when it's shaming the user, is that that kind of silo mentality creeps back in and that kind of, like, othering of, oh, that's the cybersecurity team. They're the department of no.
They're intimidating. They're scary. You know? They don't like us, etcetera. And and it reinforces this attitude that cybersecurity is, like, this necessary evil for the organization, but isn't actually productive or enabling.
And I think that's just like, that's a real shame, and it's really the wrong way to think about it because then it becomes this kind of attitude where, I'll I'll give an analogy. Like, earlier maybe it was last year. I can't remember at this point. But I I I talked to somebody about their view that cybersecurity is like a tax, and it's like a tax that, like, nobody wants to pay, but everybody has to. And I was like, okay.
Well, like, I get why you might feel that way, but then if you think about the other ways that we think about taxes, first of all, people are kind of rewarded and applauded for cheating on their taxes. And people are kind constantly looking for ways to get out of paying taxes. Like, I know people who go to extremes to avoid every little ounce of tax that they can get away with, and that is such a bad practice to bring to your cybersecurity strategy. So I just feel like, you know, if you go down this path where you start to create these divisions or you start to create these perceptions of cybersecurity as not being something that helps the organization move forward, the the results are gonna be bad across the board, whether it's, like, in the inter kind of team relationship or whether it's with your cybersecurity results or whether it's, like, with your users being, you know, just being completely tuned out as to their role, you know, even more so than they tune out the annual security training exercises that they already tune out. Yeah.
It's very true. And I I talked like I said, I talked a lot to the food protection side of the house, and they go through similar things as we do. They fight for budget the way we fight for budget. They're viewed as a profit. I'm sorry.
They're viewed as a cost center, not a profit center, and which is kind of weird because we need to test our food to make sure it's safe for ingestion. We're making a product that people eat. Right? So that's a weird thing. I always I always that struck me always as really strange.
Like, somehow, I I understood IT and security as a as a cost center kind of situation. Yeah. But I never understood that when it came to food safety. That just seems like something that would be just a business line item and nothing else because it's so it's part of your actual process. So because of that, it got me thinking a lot about how we could help them become more of a for profit, if you will, because we're looking at data that's coming off of our security systems that is tracking off of sensors and tracking off of other things that could really give them an understanding of exactly when an incident might have happened on a food side or when an access control issue happens such as somebody went from the peanut area to the non peanut area Mhmm.
And they were just an angry employee or something like that. We can show those moments so they can actually have better data for their records. Same the other way is the same. They have influence over how people interact with things. So and it's sort of like a good news, good wealth type situation, like you said, breaking the silos down.
It's just it's so frustrating to me that we are almost letting bad actors win when we don't get along as a as an organizational unit in a facility. It's just it seems like simple simple math there, and it's Yeah. We really gotta get better about it. We have to. Yeah.
Totally. Totally. We we've had a couple conversations on here with other guests where we've talked about, you know, the importance of actually just the organizational attitude and doing a better job from our perspective as as cyber practitioners, as as cyber people in in, you know, trying to dispel that perception of the department of no and whatnot. I wanna circle back to something that we talked about just a minute ago, but I wanna get kind of a a little bit of a, like, a reality check on something that you said, which is around, like I come from the world of cloud security. So when we think about kind of, let's say, change management and then, like, an audit or a review upon change, that very often gets thrown out the window in the world of cloud security because these systems sometimes are changing multiple times a day.
And those changes can be on the impact of, like, hey. New workload checked in. Workload got upgraded. Workload moved from region a to region b or, like, scaled out, scaled back in. Like, all kinds of changes, identity and access management changes, what have you.
So there tends to be more of a focus on, like, okay. Well, we're we're just gonna, like, continuously monitor, security posture of these cloud environments, and we'll use whatever framework or organizational controls or what have you. When I think about OT and ICS systems where I tend to think about, like, big machines. Right? And that may or may not be all that accurate.
Is it is it more realistic to think of these change events as being, like, a lot less frequent, as being more on the order of, like, machines don't get replaced that often unless they fail? Or or is there, like, something I'm missing in there? So there's actually a lot of change that happens because if you think about people think that, production lines are they're static. They're gonna stay there. They're not going anywhere.
Yeah. They move and they change all the time. And any and all kinds of different facilities, not just food facilities, but they move constantly. So say, like, you have a new for well, just use the bakery as an example. If you wanted to have a cake pop line installed when that became a fad back in, like, wherever it was, And Yeah.
Yeah. You have to have the line brought in and designed. It has to fit into the factory itself. It's a big factory, and you literally just move components around. So So your first constraint is, like, literally your physical space?
Correct. So things are moved around. Also, there are things called tenant factories where you have different types of manufacturers altogether in one factory. So all this probably all the security people who are listening went, what? How do you secure that?
We can talk later. By the way, like, half of them probably work in a co working space. So, like, come on. Exactly. It's the same kind of concept.
Right. Right. So there is a lot of movement of devices. There's also new tech that's brought in for whatever new product, new design, new thing. Example would be for if you wanna go for food again, have you ever noticed when you buy a store bought, like, blueberry muffin or a muffin or something like that with fruit in it in general?
And I I know, Jeremy, you're allergic to some fruit, so I I will start. But And gluten, by the way. So Oh, yeah. So okay. These are gluten free and But please continue.
We'll make them friendly for you. Okay. Good deal. So there had to be a machine that was created, actually. This happened, like, a decade ago or more.
And that would suspend blueberries in the mix before it was pulled down, so it had the exact amount of fruit in it before it hit the cup, if you will. Okay. That had to be created and made by the engineers on these sites. And it's extremely coveted tech at the time. I'm sure it still is in some ways.
But that type of technology has to be made because customers complain that they don't get enough of whatever they want in the product, so they have to make adjustments. So, yes, the tech changes around it, and it's constantly moving. When it comes to, like, power facilities and more stationary industrial type things, yeah, those machines are too big. They're not going anywhere kinda thing. But the the sensors that are on those, those change.
Those change a lot. So Okay. And and sensor security is an entirely different type of conversation. It is, that's very niche down, and it's I applaud people who do that work because that's a lot. Because securing that is really difficult because that's a lot of little components in a large space kinda thing.
Mhmm. Also too, I think that there's so much and you know this. Everybody knows this. There's so much stuff happening with AI that agrotech is, like, booming right now, and it's gonna continue to boom. So you you name it.
There's a sensor. There's a drone. There's a robot. There's something coming into the fields now more than there ever was before. Yeah.
That that is that is hard to keep track of. Yeah. Because there's a whole different concept there. It's not like you just have one building. You know what I mean?
So Yeah. Yeah. That's I would say it's evolving in different ways. It's just a matter of perspective and how you look at it. Okay.
Yes. Obviously, you're gonna have machines that are never gonna go anywhere, but then you have other ones that are just constantly transforming, if you will Yeah. And evolving by what the need is or what the want is for the company or the organization. So so then is it kind of back to, let's say, similar guidelines to what you might have is in in an ordinary organization where, like, let's say, like, the addition of a new, laptop computer, nobody's gonna look at that as much of a change event other than, like, hey. Did this laptop get provisioned correctly?
Does it have the right, you know, operating system settings, patch level, EDR agent, whatever? But, otherwise, we're not gonna trigger, like, an organizational, audit around, like, a new laptop or or, you know, new user similar kind of thing. So kind of same way to think about it is like, okay. You know, these small changes that may not have, like, a big impact, like, okay. As long as they're being done properly, we've got a process for that, and we open a ticket and track it and blah blah blah, whatever we might do with it, all well and good.
And then it's just a question of, like, defining what those thresholds are for when we really do need to, like, audit, and and kind of review what has changed relative to, I don't know, network segmentation or what have you. Pretty pretty similar kind of logic? I would say maybe yes. I think that the strongest operational technology companies have change management, boards, they said, on cabs. I think that changes, even if it's just we're patching a system today, I think are are said and often spoken about because we need to know if we have to roll back very quickly.
I've been in those environments, again, in food companies where if I wasn't sitting on the change board and I didn't know this was happening and I didn't I wouldn't I would assume we got hacked. But thank god we had a change board and we knew. I don't think you can just do changes in isolation. I think you have to have conversation. So to some degree, there are, like, maintenance type changes that are expected, but those are talked about anyways and agreed.
Because, remember, everything's set on a schedule. It's very forecasted. It's very Yeah. Expected, and the budgets are worked that way as well. So if anything's like a major change and it causes an incident, it could really take a company down in a different way.
Not only financially, but, again, that safety aspect. So Yep. I would love to say that it was as easy as imaging a laptop and it was a standard gold image that everybody used. It's not that easy. It's a lot of it's customization.
A lot of it is which who's handling what division, which department, because you could have engineering on one side having to deal with production on the other. So Yeah. Those change management meetings are so crucial and so important. In fact, I this those stand ups are so important. I when people complain about what time they are in the morning, things like that, I'm like, if you didn't have these, you would be so up a creek without a paddle.
It's so good that you're having them, and I celebrate them. So anybody who's on a change board, I I hear you, and I I appreciate you. Yeah. Yeah. I think the one one really interesting thing from what you just said is actually what one difference that I pick up on is that it's more predictable.
And, you know, to to for exactly the reasons that you laid out, so that's a really interesting takeaway to take away from that, from that little bit. We're running a little bit short on time, and I still got about four or five different topics that I wanna pivot to in in the time that we've got left. One is that I'd love to hear, like, what did you learn? I I think the most valuable and some of the most interesting perspectives come from off the beaten path types of experiences. I often tell people that, you know, in part of my own experiences, like, I originally trained as a linguist, I then went back and got an MBA, I'm a two time college dropout, and I did improv for about ten years.
And out of all of that, the most valuable experience that I probably use on a regular basis is actually my improv. More valuable than my MBA, sorry, for for all of my professors. But I'm really curious about your background in environmental management and what was it the intro about getting to work with gorillas. And I think that's not the only animal that you've worked with. So I'd love to hear what was that experience like?
What did you learn out of that? Sure. When I started let's take it back a little bit. I think some of us us old people as I now call us because this is how it is. Remember when the market crashed for IT and technology in, like, 02/2008, '2 thousand '9?
Yeah. I was one of those people that ended up getting crushed. So I was like, forget this. I'm gonna go back to school because I was a four time college dropout. So I hear you on that.
Hey. You got me beat. Good job. So I, I finally settled on a university, and I was like, I'm just gonna get a degree. It has nothing to do with technology.
I'm gonna do this. And, you know, it was joke's on me because environmental management is heavy technology. I even took a course called environmental technology. So, and I was touring through all these facilities that were all just basically industrial control everything, and it was, it was a lot. So I I loved my degree, and while I was doing it, I favored more towards the conservation side.
Okay. And I really I fell into a little bit of, behavioral ecology, trying to understand the behavior of animals to keep them safe and how we can work with them in our modern world, kind of like urban adapters like squirrels and birds and bears, actually, to this extent now. So I started, I was volunteering at the National Zoo in Washington, DC. I'm actually wildlife certified through them. I don't know if they offer a burger anymore.
Yes. It is awesome, actually. I learned an unbelievable amount. And, within all of that, I got an opportunity to work with an Emeritus professor who was setting, cortisol levels and bachelor gorilla troops to see if they could be viable to stay together in one troop and how that would work without them killing each other, basically, just to be honest. So I originally was going to be working with, the polar bears and the and the wooly monkeys, but the wooly monkeys did not like me.
They fought me. They every time I walk in, they were absolutely no. Get away from me, lady. And then, why was the polar bears I don't remember what the exact issue was. I think their enclosure was being worked on, so I ended up with the gorillas anyway.
So it was totally fine. And I spent almost, two years with them, and it was amazing because I was watching doing focal observations on them. So I was watching one at a time, and it was four, silverbacks together. There was a little bit of relation in there. So some of them were related, some of them were not, and trying to figure how they would work together.
So it was I'll tell you. It was probably the best job I ever had, and I didn't get paid. Being a researcher associate was literally the best. I, I can tell you that I've had every bit of body fluid thrown at me. I have been attacked, not attacked attacked, but I've definitely been grabbed and, you know, tried to, you know, be told what to do because I got I became part of their world in a way.
They they taught me so much about people. People watching gorillas was, like, literally one of the most amazing things I've ever done because people are so curious and so uneducated at the same time. Yeah. And the learning process of listening to people try to figure out how to, watch gorillas and what they were doing, and then they'd ask me to, like, turn them around so they could take a photo. And I'm like, it's a wild animal.
It's a 600 pound wild animal. I can't do anything to help you. Yeah. Yeah. Yeah.
It's gonna do what it wants to do. It came to the point where I'd be standing up front like, the patron facing side of the glass because you could also be behind that. And I remember watching the behavior, and I knew that the girls were angry that day. They just were fed up. There's too many people.
There was a lot of things going on. Somebody didn't get a snack kind of anger moment. And I was like, the energy changed. You knew that one of them was gonna charge the glass. Yeah.
So I always would find it really amazing because I wouldn't jump because I was used to it. It was just one of them being a punk. That's just what was happening. And and I remember the whole crowd jumped back. Children started crying.
Women were, shrieking. And I'm just saying, like, you were a jerk. What are you doing? Like, come on. Knock it off.
There's people here. You know? Like and I I just remember the girl looking at me like I was looking at them, like, the two eyes kinda thing. Like, I see you. And I just it's just amazing experiences.
So but it informed my security career because I started looking at behaviors differently. I didn't just listen to what people were saying. I was watching what they were doing. Because you can be in a room full of, executives and know the hierarchy immediately just based on behavior and body language, not just because of title. Because sometimes the biggest person in the room isn't the biggest title.
You know what I mean? It doesn't hold all the weight. So that came in really handy when I started doing assessments all over the world and in different places. It really helped me understand before because I couldn't understand the language anyways. So if I watch behaviors, because humans are humans, they're gonna be the same way.
Yeah. It really helped, and it helped me understand that. So, yeah, it was amazing part of my, journey, and it actually now helps me. I work with zoos and aquariums now too. So it it helps that aspect because I understand what they go through, because there's a lot of OT.
Just think about all the life support systems for different animal cultures itself. Yeah. It's amazing. So I That's have an incredible love for animals. Yeah.
That's awesome. I I love hearing about that, and I'm sure our audience did as well. Thank you so much for sharing your experience on that. That's a fascinating perspective. With our last question, and and we are really up against time, unfortunately, but I'd love to hear one other thing.
I always tell people that, you know, one of the things that I really love about modern cyber is that I get to talk to so many people from so many different backgrounds, and I've learned so much. And I know our audience learns from the episodes, but I always tell people I actually learn more than anybody else because I I'm on every episode and I get to hear the conversations firsthand. What have you learned from running the bytes and bytes podcast and what what is the podcast all about? So bytes and bytes, so it's bytes like you bite something and then bytes like computer bites so with a y. Okay.
Yep. I started the podcast because I felt like we needed to have a larger conversation in cybersecurity about food and agriculture. Obviously Yep. It's a very niche thing. Nobody talks about it.
And I learn so much about our food systems every time somebody gets on the air with me. I somebody my next episode is actually gonna be about, pathogens as hackers. Woah. That's just that yeah. I know.
It just you know, it blows your mind. And then learning about food safety and the things that go into how things are made and why things get infected and and why foodborne illness is a start up and understanding how systems thinking works in the food industry and how it's it's different. I have an episode about agro terrorism coming up in a few months, and that I have and I know a lot of us will agree. There's nothing that scares us anymore in cybersecurity. We hear things.
We've seen it all. It doesn't bother us anymore. But I will tell you my jaw was on the floor the entire time during that episode because I could not believe how horrible people are to each other and what goes on there. So, yeah, I learned so much. And, also, it's just hearing people's day to day lives and what they go through and how they how they respond to the the world around them and all these things.
Because let's just say that being in the food industry is not for the faint of heart. People are really Yeah. They put their heart and soul first. I mean, farmers put everything on the line to get these crops to us. And we don't even appreciate it because we have new seasons in the grocery store, and we're so far removed from our food system.
We don't even know that that butter is made with milk. So it's it's pretty crazy. Yeah. Well, that's awesome. We will have it linked in the show notes, but for people who wanna find it, it's bitesandbytespodcast.com.
We'll We'll have a link in the show note. We'll have a link to AnzenSage, AnzenOT. Kristen Demoranville, I can't thank you enough for taking the time. We ran out of time to get through everything that I wanted to. We'll probably have to have a follow-up episode with you in the near future to talk about some of your other experiences and some of your other work.
But thank you so much for taking the time to join us here on Modern Cyber. Great. Thank you so much for having me. Awesome. And to our audience, please, as always, rate, review, share, subscribe, all that good stuff.
Talk to you next time. Bye bye.