Ep. 18: Audacious Goals for Infrastructure Security, with Danielle Jablanski of STV

Episode 18 June 30, 2026 00:48:27

Show Notes

When most people think about cybersecurity, they think of stolen passwords and data breaches. But what happens when the targets are the systems that keep buildings running, water flowing and energy moving?

In this episode of the Ctrl+Alt+Mfg Podcast, hosts Gary Cohen and Stephanie Neil sit down with Danielle “DJ” Jablanski, a leading OT cybersecurity strategist at STV. Together, we move past the awareness stage and dive deep into the high-stakes world of cyber-physical risk.

DJ breaks down why securing the built environment is one of the biggest challenges hiding in plain sight. In a wide-ranging conversation, we discuss theater dreams, food trucks, why you don’t need an engineering degree to be an OT security champion, the myth of the perfect security framework and why network segmentation is a constant process rather than a one-time project.

This episode explores:

Whether you're an engineer on the shop floor or a leader in the C-suite, this episode is a masterclass in building resilience into the very infrastructure we rely on every day.

CHAPTERS
00:00 Introduction to Cyber-Physical Security Challenges

07:11 The Importance of Operational Technology Security

13:33 Danielle Jablanski's Journey into Cybersecurity

16:29 Understanding the Critical Nature of OT Security

19:57 The Growing Gap in Operational Technology (OT) Security

23:55 Understanding Network Segmentation in OT

27:29 The Importance of Securing the Built Environment

31:32 The Role of EPC Firms in Cybersecurity

34:36 Navigating Cyber-Physical Risks

37:41 Assets vs. Functions in Cybersecurity

39:43 Evolving Threat Models in Critical Infrastructure

43:35 Advice for Infrastructure Owners on Cybersecurity

Chapters

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: When most people think about cybersecurity, they think about things like stolen passwords, ransomware, or data breaches. But what happens when the target isn't data? It's the systems that keep buildings running, water flowing, energy moving, and infrastructure functioning. Today we're talking about operational technology, cyber physical risk, and why securing the built environment may be one of the biggest security challenges. Hiding in plain sight. Welcome to Control Alt Manufacturing. Hello, hello, hello, everybody. Welcome back to the Control Alt Manufacturing podcast, Resetting and Rethinking Manufacturing. Hopefully you've been listening. If you haven't. This podcast is trying to help explore some of the people, the technologies, the strategies that are driving the digital transformation of manufacturing. I am humble host number one, Gary Cohen. Joining me, as always, is the vivacious and spectacular Stephanie Neal. Hello, Stephanie. [00:01:04] Speaker B: I don't think anybody has ever called me vivacious, but thank you. [00:01:07] Speaker A: I just went with vivacious. You now you have to live up to it. So that's the trick. [00:01:12] Speaker B: That is a trick. [00:01:15] Speaker A: Especially like in the middle of the day on a Wednesday. Are you feeling vivacious? [00:01:19] Speaker B: No. Especially it's like rainy and just soggy and raw and cold. No, thank you. [00:01:25] Speaker A: Oh, so you should come to Chicago. It's Sunny and like 65 degrees here. [00:01:28] Speaker B: Hopefully that weather is coming my way. [00:01:30] Speaker A: It might be. I am actually really excited about this one because today we have Danielle Jablanski. We're gonna call her DJ, who I met at the S4 Industrial Cybersecurity Conference in Miami. We're gonna be talking about some of the things I said in the intro. Cyber physical threats, operational technology threats. And when I was at this conference, when one person says, oh, you should talk to dj, she'd be really good for your podcast. You go, yeah, okay, I'll see if I can find her. I had like four different people tell me that she'd be great for the podcast. I was like, I have to meet this person. Also watched her moderate a bunch of panels and she did a great job of staying neutral and being a wonderful moderator. So looking forward to talking to DJ today. But before we do that in the we're gonna switch this back to a get to know Stephanie today. Stephanie, you have. When you are not working in content, you are often working in another way. Tell me a little bit about this second job that you've got or that you're maybe that your daughter has. [00:02:35] Speaker B: Yeah, I work for my daughter. So she has a food truck here in our local town. We're a beach community. So she goes out to the beaches and it's breakfast and lunch. Paninis, sandwiches, some cool drinks. Nothing alcoholic. Can't serve anything off a food truck that's alcoholic. But she does have me on there. We do go to. Actually, though, we do go to the brewery. So, you know, you can have a sandwich and a beer there, but it's a lot of fun. It's a lot of work. But, yeah, so she has me on the truck, and. Except when I'm cranky and I'm not feeling vivacious, and then I scare all the customers away, so she kicks me off. [00:03:17] Speaker A: Or just put you in the back where no one can see you. Outside of a brewery is an amazing place to plan a food truck. [00:03:24] Speaker B: Yeah, no, it's a lot of fun. So it's a. But we're just. She's just starting her season right now, so we're recording this in April. And it's funny, she was just over here this morning, and she had an appointment to go see the board of. The Board of Health. You know, here's the thing about food trucks in Massachusetts. You have to get all of the applications and all the certification for not like, for every single town that you're going to. And it's a lot of money, and it's a lot of time, and it's a lot of energy, and everybody thinks it's just so fun. Like, let's get into the food truck business. It's a lot of work. So just an FYI, for anybody who thinks they want to quit their job and go into the food truck business, it's a lot of work. [00:04:07] Speaker A: I have known several people who are in the restaurant business, and everybody's like, I want to open a restaurant or a bar. And everyone has said. It's like back when I was acting where people were always like, if you can think of anything else in the world that you could do and be happy, you should go do that thing. And that's what I always hear from people in restaurants is like, if you love it, it's great. If you aren't passionate about. Can be a rough business. But I have to ask before. [00:04:34] Speaker B: Oh, go ahead. Cause I was gonna ask you something. [00:04:37] Speaker A: Oh, I wanted to know. Wait. What is the best thing you make? What is your favorite thing that you make in the food truck that I make? [00:04:43] Speaker B: Well, my daughter. [00:04:44] Speaker A: No, you. [00:04:44] Speaker B: Me? [00:04:45] Speaker A: Yeah. [00:04:47] Speaker B: Well, she does most of the cooking, but I'm trying to experiment with and do some stuff. And I'm telling you right now, I'm trying to exper with. They're called pizza strips, and they're from Rhode Island. It's a Rhode island thing. And it's just like pizza dough with sweet tomato sauce, no cheese. And it doesn't have to be heated up. It's supposed to be served at room temperature. So, you know, it's a small truck. We don't have a lot of, you know, areas to, you know, be heating up some pizza or making a pizza. But, like, if we, like, pre made it, we can serve the slices at room temperature. It's great. Beach eats, right? That's the whole thing. Thing, like beach eats. So I'm experimenting with that. I don't know if it's going to work or not. A lot of people might not like it. Like I said, it's kind of like a Rhode island thing that I learned when I was growing up from my family in Rhode Island. Also called bakery pizza. But yeah, I don't know if that's my favorite, but last time we were talking, I was telling you that Italian is my favorite food. So I'm always trying to, like, sneak in some little things here and there. Sometimes she likes it, sometimes she tells me to take a hike. But we'll see what happens with the people. [00:05:55] Speaker A: Well, she's the boss. You gotta listen. [00:05:57] Speaker B: She's the boss. I'm calling it Beach Pizza. We'll see what happens. [00:06:01] Speaker A: I love it. What were you gonna ask me? [00:06:03] Speaker B: I was gonna ask you, like, if you could be doing anything other than your wonderful job of being a B2B journalist and digital storyteller, would you be acting? [00:06:18] Speaker A: I still really enjoy it. So, yeah, I like doing that. I like podcasting. Yeah, I think that's probably. I mean, you know, it's a little bit like saying I want to be an astronaut, you know, but yeah, I do enjoy doing it. So I've been thinking about maybe not so much, you know, as my kids get older, not so much doing it as a career, but doing it as, like, just look for some local community theater and go have fun. [00:06:43] Speaker B: Just get into some commercials. Do some commercials. [00:06:45] Speaker A: Yeah, I did that. I had. This is getting out of hand, this early conversation, but I will tell you about this some other time. I had an amazing track record of putting companies out of business. The second I got cast in a commercial, within, like, the next six months, that company would go out of business. I never told anybody this, but I was like, oh, well, there goes that company again. So now you can't do. [00:07:07] Speaker B: Now you're never going to get a commercial gig, though. [00:07:09] Speaker A: Maybe not, but yeah, let's. Let's. Let's talk about DJ here and talk about cybersecurity. One of the things I talked about in the intro is, you know, people's idea of cybersecurity is often on the IT side. I don't think as many people think about security on the OT side or in industrial environments. But when you're talking about that, it gets really serious. The stakes get much, much higher because cyber risk actually can affect physical operations. And even when you're talking about something like ransomware, which everybody loves to talk about, you know, people who are, who are, you know, who are putting ransomware out into the world, attacking you with ransomware, are looking for pain points. And there is, you know, money and information and your secret sauce if you're a company. But a big pain point is the physical built environment. If I can shut down your electrical grid or your water system or a nuclear facility, well, that's a pretty big pain point. So when you're talking about how, how industrial cybersecurity is important, why it's important, it's huge. And I think it also doesn't really behave like traditional it, which people who are, you know, DJ knows, you probably know this. You can't patch it on demand. You can't always take a manufacturing line offline. A lot of environments include legacy systems, things that weren't built for cybersecurity, third party access. And so that makes this, I think, more than just a technical issue. It's an operations issue, it's a leadership issue, it's a resilience issue. So yeah, I think this is a really, really important topic we're talking about today. [00:08:57] Speaker B: No, definitely. And we've talked about it before that like you just said, we were talking about critical infrastructure and it's not like it where a server goes down and oh, whoops, I don't have any email or I lost that file. You could be, you know, something catastrophic could happen as a result of a cyber breach. And I didn't meet DJ at the conference like you did, but did just a little quick look into her history and wow, really impressive. [00:09:26] Speaker A: Feels impressive. I know, I know. We're going to get outshone today. Let's go ahead and introduce her. So, Danielle DJ Jablansky. She leads STV's operational technology cybersecurity consulting program, advising clients in security, program development, strategy, tool selection and deployment to mitigate cybersecurity threats facing operational technology and cyber physical environments. And that stretches across transportation, energy, water infrastructure. She also was in the office of the technical Director at cisa. She's Been at Nozomi, at Guidehouse. Also an adjunct professor who enjoys teaching ICS cybersecurity at Dallas College. Has taught cyber physical defense at The Middlebury Institute. D.J. it's a lot. You do a lot of stuff. [00:10:09] Speaker B: Is there anything you can't do? [00:10:11] Speaker C: DJ I also have a one and a half year old. [00:10:14] Speaker A: Oh, my God. [00:10:16] Speaker C: Yeah. And she's amazing. She's been the best job so far. [00:10:19] Speaker A: And so my question is, how are you managing all of that now? That's a one and a half year old. I have a friend who's got now a 3 year old and it's. My kids are now teenagers and it's always a lot, but at one and a half, it's there at that age of like, oh, I need to be managing them all the time. [00:10:36] Speaker C: Yeah. She still doesn't sleep. So the jury's out on when that will occur. But I actually was telling my boss earlier today, I saw some recent research and I didn't look into the validity, but the takeaway was that there's some early indicators that not having the same day and structure is actually beneficial for like pre Alzheimer's and dementia. And I was like, I'm going to live forever. Like, I am all set if that's the indicator. And so that was one that was. It's just something recent that came out that I was like, okay, I'm in good shape because you never know what my day will look like depending on Quinn and life and travel and teaching and everything else. But I do love it and I [00:11:15] Speaker B: chose it Only gets better. Only gets better. More and more things. [00:11:19] Speaker C: Yeah. Everyone keeps asking, when's the next one coming? And we're like, not for a long time. [00:11:23] Speaker A: Yeah. We're dealing with the first one right now. [00:11:26] Speaker C: She's dealing with us. [00:11:27] Speaker A: Yes. And just think, in 20 something years, you could be working for Quinn in a food truck. [00:11:32] Speaker C: Oh, for sure. Yeah. No, that'd be. I was actually wondering if you needed a special license. I had so many questions, like, to drive it, like, do you have to get a Class E? [00:11:39] Speaker B: No. Well, the truck that she has isn't that huge. So she just came out. She would have if she had a bigger truck, but no. [00:11:48] Speaker C: Yeah. [00:11:49] Speaker B: Trying to keep it manageable. [00:11:50] Speaker C: Cool. And then, Gary, you're the opposite of. But you're the opposite of good luck, Chuck, and your acting career. [00:11:57] Speaker A: Oh, my God. So, yeah, I didn't ever tell people that, but then it was like. I mean, it was a long time ago, but I did like commercials for Earthlink by the Old Internet provider and it went out of business and then there was, I mean, it wasn't a directly, it wasn't directly related to me, I don't think. But it was like, yeah, I've got this. Your hope as an actor when you get a commercial is it's going to run for 20 years and you keep getting paid. And then these companies kept going out and I was like, well, guess I'll never see that ad again. [00:12:24] Speaker B: Or that you would be like, you know, the state farm guy or progressive. Right. And you have this recurring, you know, character. [00:12:33] Speaker C: I never wondered about that. They must get recognized in public. That's interesting. Wow. Yeah, they're like celebrities. [00:12:39] Speaker B: Okay. [00:12:39] Speaker A: Yeah, yeah. No, I've known some people who have done that and they're, it's like a double edged sword. They're like, I am making tons of money and never have to work again. At the same time, it's hard to get other jobs because I'm flow. Right, Exactly. [00:12:53] Speaker B: Yep. [00:12:54] Speaker A: Yeah. I have a feeling we could do this whole podcast without talking about anything and we'd all have a really good time. [00:13:01] Speaker C: But I also have a theater background, so we really, we could jump, right, [00:13:04] Speaker A: tj, you and I, the next time we're at the same conference, we're going to have dinner and we're going to have a good time. So. But let's, let's be professionals. Let's be professional. So let's talk cybersecurity. You, as you said, you do everything. You've worked across government, industry, academia, you've done OT and ics, cybersecurity. Let's talk about your background. What drew you into this space and why has it remained an important focus for you throughout your career? [00:13:33] Speaker C: Yes, I've made this joke before, but when I got into ot, I just missed things that exploded. So when I went to Stanford in 2018, I was there on a two year contract to help them build out their master's program in cyber policy. And my background was in policy work, government affairs, but I was actually working in nuclear weapons when I started looking at cybersecurity. And so we were looking at some of the considerations for, for launch and use and then the doctrine around modernization. Right. There was a trillion dollar budget for modernization. And when I went to Congress and my first job and asked, hey, does anyone know the cybersecurity components or even the command and control components that are going into these upgrades of this trillion dollar modernization program? And I had congressmen look at me and say, do we not know that? And I was like, whoa. Like, you know, and this was kind of this evolution of everything's connected everywhere and we have all these different, you know, industry 4.0 and 5 point, whatever we're at. But that was. My background was nuclear. And so when I went to Stanford, we're working on this program. But at the time, the funding and some of the politics of the day had us looking into disinformation and deepfakes and election security, and I wasn't interested in that at all. And AI, AI was a big one. And so the more we got away from the physical world in that policy work, the more I wanted to go back to things that exploded was the joke. But then I became fascinated by critical infrastructure and the world around me and all the things I had yet to learn and all the silos and reasons I didn't learn it going, you know, going through school and understanding, you know, how the energy sector and how the grid works and things like that. But then I realized that energy got all the attention for a long time, especially in cybersecurity. They had better budgets, better compliance, for better or for worse. It's not a net negative, but they might not be the gold standard. So how do we evaluate the rest of the sectors in their silos and how we get them to more mature areas? And then lastly, I mean, I just have to say this. I got really lucky. And the timing in my career. Right, timing is everything. When I decided to leave Stanford and go into consulting, they asked me, what do you want to investigate? What do you want to research? And I wanted to do intrusion detection systems for industrial control Systems in 2020, 2019, actually, I published my work in 2020, and it just happened to be at the time that that market exploded. And so I had tons of opportunities and awareness from that, that the timing was everything. And I had really, really amazing mentors in that early work that I still see at conferences today that are probably some of the people that told you to talk to me. And those people have ushered me into this for, you know, five, six, seven, eight years now. And so I wouldn't be where I am without those. Those voices. [00:15:55] Speaker A: Yeah, I don't remember the exact dates of these, but that would have been right around the time of, like, Oldsmar and Colonial. And I mean, yeah, I was at [00:16:01] Speaker C: Nozomi by then, but yeah, okay. [00:16:04] Speaker A: Yeah, yeah. I mean, I think because this podcast covers digital transformation, isn't always focused on cybersecurity. A lot of cybersecurity conversations, as I said in the intro, when we weren't talking about random stuff, still center on IT systems. So for listeners who may not live in the OT world every day, how do you explain why securing operational technology and cyber physical systems, the things that blow up, is so critical right now? [00:16:29] Speaker C: Yeah, so I mean a lot of people tend to argue that you need an engineering background to focus in ot and I think that that's just like belligerently wrong. You use products, services and resources every single day. And if you want to work to secure a product, a resource or any other type of critical infrastructure, then you can learn about it. I mean that's why engineering exists. But that's one component, one discipline in the built environment that we care about and it's instrumental, but so is security. And all you need to do to do security well is care about it. And so I think that we also have to fundamentally understand the ways in which automation has been the bedrock of society since the industrial revolution. And however you want to categorize the growth and you know, renaissance thereafter. And so I teach in my classes relay logic, but very simple relay logic. And I start with, you know, a car wash example and we look at the baggage claim at the airport, things that you use in your day to day life beyond electricity and water to start to think, oh my gosh, there are systems of systems that I can learn about and understand to a very technical degree without being an engineer. And I can apply security to that in the same way I have in it. I can apply some of the same tools like Wireshark to the PCAPs that I look at. And yeah, not all of the security things from IT are going to extend to ot, but once I understand the core competency, then it's kind of off to the races on what I want to do about it. And so I always tell people it's not enough to just call it all logging and say, well I understand sims, so I can get OT data from here and I can use this tool and buy this capability and then I can just go be an analyst to work in a soc and I've got OT checked off right? There's still a significance to distilling the communications traffic from the process variables that we know on the industrial side and dissecting both correctly. So it's not just about where can I throw it together and where can't I. It does take a dedicated approach, but I think anyone can do it. There was a fun example the other day. I was on a call for a paper I'm working on and somebody was looking at some data and it was a response data for a survey. And somebody said that phishing was a concern in their OT environment. And the person reviewing it was like, wow, they must be so immature that they consider phishing to be an issue in ot. Like they're not going to click on a link from a PLC or a workstation. And I was like, did we forget the kill chain? So sometimes we actually take it the opposite direction where we think we have everything figured out in OT and IT and regular cybersecurity have no input. And it's like, wait a minute. Phishing is a very real concern for OT environments. Even if you're not directly clicking on links from an hmi, right, you're not going to get an email at the car wash HMI that you're going to click on. But you can still target those in similar, you know, similar tactics, techniques and procedures. So my basic takeaway is that you can do it if you're interested in it. We do need a more holistic and proactive way to think about it. That's definitely required. But I think there's a lot of maturity still to be gained in this discipline and especially in this market. I love to remind people that cybersecurity itself is an unregulated market. And at cisa, the number one thing I would kind of joke about, but I wasn't really joking, is I was over awareness. I hated the word awareness. Everyone's like, we have to spread awareness in OT. I said, it takes me about 20 minutes to convince somebody why OT is important. Tops. 20 minutes, tops. They get it. We can manipulate systems to the extent that the values in them and the command and control is overtaken and we can cause them to make bad things happen in the real world. Right? I can explain that. In every single sector and every single system system that exists, the problem is the gap in capabilities and capacity and competence between IT and ot. And it really isn't even competence anymore, it is capabilities. If you compare the markets, the tools, the approaches, the security controls, the technical veracity, the introduction of AI, OT is so far behind. And it's not an awareness problem. It is a. We have to catch up to the breadth and depth of capabilities and competencies in OT. And so we've got 10 plus years of growth that's going to be happening in this market. And I think that that gap is amazing. I can't wait to see what happens 10 years from now. But it's not an awareness problem. It really is a comparative market problem that I think a lot of People are in a really good position to solve today with the tools that we have at hand. [00:20:23] Speaker B: I'm surprised there's that gap that you talk about on the OT side. [00:20:27] Speaker C: Yeah. [00:20:29] Speaker B: So just based on your experience, TJ at cisa Private Industry Consulting, how has that changed the way you look or think about what quote unquote, good OT security looks like? [00:20:44] Speaker C: Well, so I kind of made poked fun at the awareness market. There's a whole market for awareness training and education is huge and it's extremely important. But I think that there's this kind of shift also happening where there's a barrage of information and there's even AI slop that has entered the chat on OT security. So you will see regurgitations of here's a list of security controls and these are the right ones. Here's the best practices from this group and here's why they're the best practices. There is no single voice. You have no trusted advisors. That's what I used to say at cisa we are the trusted advisor. There are no other trusted advisors. If something doesn't exist or if something only exists from a private sector company, then there's a vendor lean to it and we need to build something agnostic to that. That was kind of my position at CISA. But a couple of years ago at S4, I actually gave a talk on the main stage called Priority is in the eye of the asset owner. And that's really where I'm building my practice. And I mentioned competence, capacity and capabilities because that's what I focus on in my practice. And the reason I say that is that there's so much to do and be done that we end up tying our hands and saying, well, it's not mandatory, it's not enforced, we can't solidify which framework or best practice to choose from. So we'll have this conversation again in a year or we'll go buy this tool, we'll get some data and then we'll actually make our security outcome or our goal align to the data we get out of this capability. Which of course is not holistic, it's not proactive. It is basically a self fulfilling prophecy of, you know, we're going to gain visibility in this place. We've now we have visibility in these networks on these many devices. [00:22:09] Speaker B: Great. [00:22:11] Speaker C: You don't know if you're more secure that way. Your firewall rules might still be a complete, you know, loose cannon. So there are tons of moving parts, but the best programs bring all of these moving parts together. There was Another example, I was working with a group that was looking at an Air Force base and this right. Controls question was what came up? And they said, hey, we want to build a list of controls. Can you tell us if they're the right controls for ot? And I said I could for someone generally. Right. But how do we work together to say, is this the right set of controls that I can reasonably achieve in my organization with what and how do we get there? And that's what maturity looks like. And that's what we're starting to see people realize is I've told people, beg, borrow and steal from frameworks and build your own baselines because you're never going to get anywhere without starting today. And you're never going to know where you're going without building that framework for yourself. You're not going to be able to cherry pick it. You're not going to be able to throw it into an AI engine today. You're not going to get it from a NIST download because it has no context of your environment. You have to build it. And I think we're over that hump. I don't have to sell that anymore. People are saying, I'm building a program, how can you help me? I'm building a program, how can you help me? And they're taking that ownership. And that I did not hear five or six years ago you used to hear, I'm looking for a tool, what do you sell? So that's awesome. And so I'm really excited about that. And some of the I say early maturity, not low maturity sectors that I get to work in. [00:23:29] Speaker B: Right. So you do talk about this as being of having to look at it holistically. But you know, if we think about OT and cybersecurity, the network, we really do have to focus on the network. And you helped shape OT strategy at CISA and authored guidance on network segmentation. So from your perspective, where are organizations still getting segmentation wrong in industrial or infrastructure environments? [00:23:56] Speaker C: Yeah. So we used to always say network segmentation is king, king or queen. Right. However you look at it, the paper that I wrote there is still not published. I'm told that it still will come out, but there's a long production calendar there. And ot, there's actually been a lot that has come out on ot, but it still is part of the grander mission at cisa. But for me, network segmentation is a constant. And I think that is something that is also newly cemented across ot. Right. People think of segmentation as one thing or a tool when it's actually a complex combination of both tools and activities. So some people used to think it was enough to put in a firewall. I mentioned firewall rules before. I've seen organizations deploy really, really sophisticated and expensive tools and then they still have any, any firewall rules leading to their OT networks. So when you think about network segmentation, I actually think of other security controls as being a component of network segmentation. So I think of risk management as a portion of network segmentation and vice versa. I think of, you know, architectural design and asset inventories as part of network segmentation, again, both in activity and tools, because the scale of the data that we need is really difficult to do manually. So you're going to go have to find a capability to facilitate that control. But it should be part of this broader campaign to facilitate this constant network segmentation. Right. It's not one and done. It's not a set it and forget it. It's not a perfect tool. And then in addition to that, you have access controls and vulnerability and patch management, which all affect the network and your attack survey. So they are still components of this active, ongoing exercise for network segmentation. You also can't really do good segmentation without threat modeling and tiering out your system. So crown jewel analysis, understanding what can I not operate with? What can I operate with? Because I have a backup to it. What's kind of a third tier, I don't really need it for operations and we can continue to run. That's an exercise in interdependence mapping, that's an exercise in outreach, that's an exercise in documentation and change management and all of these things, bringing in your third parties and your integrators. Right. It's a process. It's not something you can check a box on and only then do you get something like continuous monitoring, which we kind of have thought about as this kind of flip a switch control that's going to fix everything and it doesn't. It provides really good data for the oversight and orchestration of your network. And so then you want to add in. 6403 is always kind of a reference model, right? I did a listening tour while I was at CISA across the United States for every critical sector that had industrial control systems. And I talked to like almost 30 asset owners about what they incorporated, why they incorporated, what they were struggling with, what services from CISA they wanted to expand or didn't know about maybe. And none of them said that they actually used and adopted 6443. Not one, not the most sophisticated, not the most. Not the smallest co op in Nebraska. That was a legitimate example. None of them had actually adopted 6443. So when we look at how we deploy DMZs and firewalls and software defined networking and data diodes and micro segmentation, again, that's all being driven by the vendors. And that's okay. That's not a net negative. Right. They do good things, these vendors, but where it fits in your program and when you use it and how you use it to maximize its capability as part of that strategy, I think really matters. Then you've got Iot and hardening and redundancy and cold systems and segmented safety and power supply and manual operations. And so it's a constant. It's absolutely the backbone of an OT program, in my opinion. [00:27:13] Speaker A: When we, we communicated before this conversation, you said you've been thinking a lot about securing the built environment. When we talk about that, what systems and risks are you the most concerned about? And why do you think this area needs to be getting more attention than it is? I could probably intuit some of this from the conversation we had earlier, but [00:27:29] Speaker C: yeah, I mean, I kind of joke that energy got all the attention and it really had the most mature. It also is for good reason. Right? We've seen more sophisticated attacks on energy infrastructure than we have seen in any other sector, including manufacturing. Right. Manufacturing might be more costly, but more impactful. Has been some of the examples out of Ukraine, even some of the pipeline incidents that we've seen. And so I think that energy is a good example in how to approach the tasks. But the problem really breaks down when we look at how to go about fixing it. So understanding bulk energy as a provision to a large population is pretty straightforward. It took a long time to get people to agree to the definitions of those things in the NERC SIP world. But it's a good working model. [00:28:13] Speaker B: Right. [00:28:13] Speaker C: We understand that bulk energy serves a lot of people, and if a lot of people don't get electricity, we have problems. That doesn't extend to other sectors, unfortunately. And there are actually more complex systems out there. So I currently work in the rail sector quite a bit. That's the most significant sector for my firm. And the systems of systems and complexity of there. And doesn't matter if there's 100 people on the train or if there's 12 people on the train. A safety incident is so impactful. And so these constraints that we have in borrowing from energy really start to break down. In those other sectors, of course at sisa, the critical sectors or the lifeline sectors were energy, water, transportation and communications. But when you start to kind of expand that lens, you have rail and buildings and smart greenhouses, right, Dams. Anything like I said earlier, that produces a product, service or resource becomes critical. And so this built environment is everything around us, like I mentioned before. And so when we start to expand that it becomes kind of a larger than life problem. And then we have to get back to like how do we do something about it? And so we can't get over our skis and say, well, it's all, it's too much. There's too many systems, too many components, too many vendors, too many risks and we just can't deal with it. So we're going to reduce the market or have these poor outcomes. Yes, the component list is growing and these devices in the design phase are just another system in a complex system of systems. But things I'm concerned about are things like vendor lock in versus vendor consolidation at the strategic level. So I worked with a energy company when I was at CISA and they said they had so many third party risks that happened, third party incidents that happened. They had to spend so much time investigating the impact from that third, those third parties to their organization. In one year there was a hundred, a hundred incidents in one year it was a major company. Luckily none of them had cascading impacts to their organization. But they had to spend so many resources figuring that out. So they said we're going to, we're going to reduce the vendor list. We're only going to work with X amount of vendors From a company strategy. Well, we have single points of failure and consolidation risk. So how do you weigh those out going forward? When we're looking at the built environment, vendor lock in might cause you to use things that make you less secure and you know, vendor consolidation might create more single points of failure at the same time that we're building complex interdependence at a degree never seen in human history. So what the question from like a technical perspective is what does an OT SolarWinds type event look like if we have that vendor consolidation and then from a kind of management perspective, when we have vendor lock in, well, we might have a security tool that works for 10% of our environment or 60% of our environment. We have to go buy another tool for the other 40 and you have this patchwork, right. You single, what's the phrase? That used to be an ugly phrase? Point solutions, right. Used to be an ugly phrase like 10 years ago. Now I'm a huge fan, right point solutions because they are the best in class, but if they're not part of the partner network or they're not offered by your vendor or your oem, you might not have access to a best in class capability. So that's going to price you out of security really quickly too. So that's really what I'm looking at is like that strategic level. How do we build this by design? We don't bolt it on in the future and really have these interdependence questions upfront. So we're not really creating single points of failure or making our security just impossible to achieve. [00:31:16] Speaker A: One of your recent focus areas is the role of EPC or engineering procurement, construction firms and system integrators and control system cybersecurity. Where do you see the biggest gaps or to look at it a more positive way, the biggest opportunities for those players to improve security outcomes. [00:31:32] Speaker C: Yes. I don't use that phrase earlier, trusted advisor lightly. When I say trusted advisor, I mean truly agnostic. When I come to work with you, wherever you are, I work for you. Right. That's kind of the fun part of consulting. Like whatever your logo is, I've got the hat on, I've got the vest on and I'm in it with you. That's really exciting for me and that's something that drew me to the EPC world. The thing at STV that I said I would not do is I would not build a managed service and I would not do reselling because you can no longer be agnostic when you're doing that. So for EPCs and integrators, I think that they're. It's unregulated. Right. There's no cybersecurity regulations for designs of buildings. Unless you talk to the Coast Guard, they have a unified facilities criteria. There's no broad set of cybersecurity requirements for systems integrators. Right. But there is a ton of customer voice from EPC and system integrators that can actually shape how the cybersecurity market and even the consultants like me show up to solve problems. And I really think that's the opportunity we have. We do see common themes, like I said before, of referencing things like 6443 or NIST CSF on some services contracts. But from a design and build phase, it's still kind of the wild west. So if an RFPR contract happens to include cybersecurity, it's a happy accident. But I Would like to see this like subsector, however you want to shape it of industry form a common language, a framework or a maturity model that they can consult at the beginning of an RFP process or proposal or bidding. And I don't mean another security baseline. Right. Earlier I told end users to build their own baselines. I don't mean a baseline, I don't mean a checkbox of security controls. I mean when you're doing these go no go conversations for executing work, do you stop to say, have we considered digital risks as it pertains to the concept or design here? Do we know if the end user or customer cares or has a plan for how they secure this infrastructure, whether or not it was part of the RFP or the initial discussions and what additional considerations do apply? Is there procurement language we can provide as simple as look for vendors who have vulnerability disclosure programs, period. That's a very simple one, very easy, non standardized. Right. You don't see it everywhere. Hardening guidance, network security guidance that we just discussed configuration aspects for those hardening guidances from the OEMs. Those exist, but if you're not asking for them, they're not coming with the project. So how do we build that kind of foundation? Again, not another list of controls, not another tool, not another framework that's going to be updated, but something that is a standard vernacular across the built environment from the beginning that we all use. Right. I would love to see that, that [00:33:52] Speaker B: everybody in the industry uses, or everybody in that organization uses. [00:33:56] Speaker C: Everyone in the industry. I would love to see everyone in the industry say we ask these five questions and they're not specifically security controls, but we ask these five questions and if the customer doesn't want them, they don't want them. And if it's, if it's, if it's a big risk, we don't do the project or you know what I mean, depending on how it shakes out, we ask these questions. [00:34:10] Speaker B: Yeah, but you also rattled off a bunch of other question questions which comes back to the trusted advisor. And you don't know what you don't know. So you're there to guide everybody along the way. [00:34:20] Speaker C: Sure. [00:34:21] Speaker B: But dj, you also talked about the challenge of understanding the true scale and scope of cyber physical risk nationally. What makes that so difficult today? And what kinds of frameworks or data would help us do a better job? [00:34:36] Speaker C: Yeah, so I've never said this in the same place, but I have given these three data points before. But I'm gonna put them all in one place and I'm Excited about that. When I was at Guidehouse, we had a global building stock database, I think that's what it was called. And it basically had an estimate of the square footage of every type of building and warehouse in the globe. Was really cool. It was really cool to use that. And so one time when I was looking at some ransomware research early on in the days that I was focusing on industrial control systems and intrusion detection, I did some math and analysis and tried to estimate, you know, what was out there. And for energy, water, food warehouses and critical manufacturing, I was able to estimate using other databases in that one that there was roughly 8 million sites just for those four sectors in the world. And so that's astronomical, right? If you think about 16 sectors worldwide, that's just four. And critical manufacturing is actually a subset. So that's a percentage of every region that is considered critical. I think in the US it's maybe 60%. In Asia, it's higher. In Europe, it's lower. Right. Different things like that. That. That was all in this quantification of the 8 million. So 8 million is not every site. Right. It's a critical manufacturing food warehouse, which is not the same as farming and agriculture. It's just the production location. Right. So again, it's a subset of a subset, and it's still 8 million for four sectors. So that is crazy to secure in quote, unquote, the built environment, and then you have the number of potential configurations of the control systems in those environments. So I did another presentation where I grabbed a statistical analysis and I said, well, a Rubik's Cube has quintillions of permutations that you can actually build on a Rubik's Cube. And the control systems don't have quintillions, I don't think. But if you were to take an average of 8 million sites for that first dataset, and you have maybe 12 vendor systems on average in any environment, which is the average we've worked with for the last 10 years. And of those 12 systems, you have five potential languages that you can use for the logic in those systems. You have millions of millions of millions of potential configurations in those ecosystems that are completely blind to your security framework. And then the last thing I'll say is, when I went to the national level, everyone wanted to build this national asset inventory. Where are all these systems from these OEMs that have been built and deployed in the world? And we know the vulnerabilities on them. So let's go rack and stack them. Well, we can do prevalence. Okay. Right. We can count how many systems were created and sold by any given OEM and to different integrators and resellers. The problem is provenance. We don't know where the end user got them last. Right. So they might have been sold 10 years ago from Schneider, but they might have been most recently bought from ebay. We don't know what kind of configuration is on there, what software is on there, what the firmware looks like. You have no status update. This is even true for the things you might find on Shodan. You don't know the rest of the picture for those configurations. And so that provenance question of chain of custody is another way to put it, is massive. And so when you start to think about this on a national scale, the only way to get around it is to have asset owners take ownership of of this risk problem and do some of the things I talked about earlier. [00:37:30] Speaker B: So continuing on this discussion about assets, there's an ongoing debate around assets versus functions when assessing cyber physical risk. Can you break that down for us and explain why that distinction matters in practice? Yes. [00:37:41] Speaker C: Yeah. So CISA had historically referenced the 55 critical functions in a framework. And so these are vital to the security, economic health and public health and safety of the nation. So that's the function set. Critical assets were defined as basically systems which, if destroyed or disrupted, would cause national or regional catastrophic events. The reason that this became kind of a thorny subject across the OT infrastructure, and this is what I actually published this in some Atlanta Council research a couple of years ago, is that that breaks down to threats from threat actors and their capabilities or TTPs, to impact functions versus threats to specific assets in terms of vulnerabilities that exist on those products. And I think that those two things can cause security programs with budgets and personnel and limitations and different strategic risk priorities and different threat models to spend all of their money on either or both and not actually have a significant reduction in their risk. So if you're spending all of your focus on ttps from a threat actor, you might not actually even be understanding your core interdependencies and your worst case scenarios from an effect effects based approach within your environment, and vice versa, if you're spending all of your money and your time on vulnerability and looking at your CBSS scores and trying to patch the things that seem agnostically to be the highest severity, you might actually be missing some interdependencies where a simple firmware upgrade might actually significantly improve your holistic security. And so you can't do These things without the core understanding of your environment. And so that context is so important. So that's why these kind of debates are of what's more important, a function or a output or a specific device or asset and its vulnerabilities. It breaks down really quickly in my mind and there's a plethora of vulnerabilities and different impacts that are there. And so you can only do it yourself, really. [00:39:28] Speaker A: You kind of led me right into the next question that I wanted to ask you. Although I think it's a big and complicated question given the shifting geopolitical and technological landscape that are out there right now. How do you see some of these threat models changing for critical infrastructure operators in the next few years? [00:39:43] Speaker C: Yeah, solve the world's problems. [00:39:46] Speaker A: DJ you can do it. You have 30 seconds. Go. [00:39:50] Speaker C: Of the two things I've already said before where I focus in on that, I think a lot of security teams that are very, very well positioned to do great security work tend to miss it's interdependence versus single points of failure like I mentioned earlier. So to me this is a symbiotic relationship. I actually have a whole week of one of my courses where I just focuses on the different types of data available to manufacturing. You know, what we're getting out of these historians, why it's important, how processes run and how they reduce. They increase energy efficiency by employing this new lighting, they do all of these different things. And I actually spent a whole week on that so that we understand that we're not going backwards in terms of increasing automation, increasing technology, interdependence and all of these use cases. But I do think interdependencies from those technologies and those evolutions and single points of failure is a symbiotic relationship. I don't think we're ever going to to engineer our way out of that. And so of course cyber informed engineering, doing more things by design is a great idea. But I also think that we have to understand that we have not been able to itemize essentially the outcomes and consequences that are related to cyber scenarios. From an engineering perspective that would always lead to cascading impacts across an organization. So there is no cookie cutter way to say if you do X, Y and Z in your environment and your architecture, here's what's going to happen to you. And the way to get around that, I think, is to really understand that regardless of the fact that ot specific targeted like malware and incidents is not common, you need to bring it back to integrity. And this is Actually, the one thing that I love growing up from a nuclear policy space is integrity. There's this principle for nuclear weapons of always never, it must always be ready to launch and never be launched on accident or subverted in our control of that launch. And so when we look at integrity, you have to be able to know what you know, how you know it, and how you can verify it. So regardless of the fact that we don't see a ton of OT specific attacks that are really targeting the native functionality of a control system and the ladder logic that runs that control system and this set point in the actual sequence of the control logic that's being executed, doesn't mean that you shouldn't be able to pinpoint when something happens in your process that you understand how a variable got there. And so that's really where the security conversation is in ot. And nobody's missing that either. It's how do I build the right baseline, invest in the right tools and capabilities to actually stay ahead of the threat in a way that protects my worst case scenario. So I always say effects based cybersecurity is the way to go. And effects based cybersecurity will always lead you to reviewing your interdependence and your single points of failure, regardless of what the next thing that the threat actor is going to do. This actually leads us to an interesting different debate, which is back to that vendor consolidation, not from a third party perspective, but from a controls perspective. Like there are conversations now that we should just make more homogeneous control systems environments, right? I'm not on that bandwagon, but it depends, right? There's a lot of different ways to, to scope that depending on your sector, but it's really, it's a dependent conversation, right? Your failure modes, your worst case scenario, your effects based approaches are going to be dependent on your environment, your resources, your current tooling, your security stack, your architecture, you know, who can touch it, the exact processes you're running. So it's never going to be something that we build and we set it as this like shiny object on a mountain, everyone can go and follow it. It's just never going to happen. [00:43:19] Speaker B: Yeah, I mean, this is the right question to ask you. Dj, you're the person to answer this. If you had one piece of advice to infrastructure owners, operators or policymakers trying to make meaningful progress in OT cybersecurity today, what would it be? [00:43:35] Speaker C: So I spent the whole whole podcast saying, you need to be holistic, you need to be strategic. You've got to take all these inputs and define your outputs correctly. But I also think you have to start today with what you have and keep an audacious this goal in mind. So years and years ago, I had a consulting firm come into my first job and say, we're going to build real world outcomes based on audacious goals. And I was like, this is such a dumb exercise. Like, I was young and I was rolling my eyes and I was like, who would pay for this? Oh, my God. And by the end of it, I've borrowed this everywhere I've ever gone. And so when I'm doing mission work, vision work, strategic objectives, goals, outlines, I pick an audacious goal. And then you build from the resources and capabilities you have to get to that goal with a timeline. Right. And you can build all of the strategy with that audacious goal in mind. But I would caution people to not give up on audacious goals, but to understand how you get there. And so building that continuous improvement with what you have today requires some really hard internal investigations. But don't lose sight of that audacious goal just because you know you can't achieve it this year. Start today, build the plan. If it's six months, if it's six years to where you're going to get. Because you actually run the risk of six years from now being at the same place you are today if you don't get started. So I really think that that's it. And invest in learning. Invest in learning for everyone. You know, there's all these different ways to get training and up train and reskill. And I think OT cybersecurity just needs to be offered earlier and more actively across the instrumentation, the automation world, the cybersecurity world. I mean, law, there's so many different disciplines that I think could benefit from just understanding that this matters and how it can be compromised and how it can be strengthened and bolstered. So those are the two things I would recommend. [00:45:11] Speaker B: And it impacts everybody. So you're right on target. Everybody's got a. Everybody's got a stake in the game here. [00:45:17] Speaker C: Yep, yep. We didn't even talk about, like, hospitals. Yeah. We could go on and on. So. [00:45:21] Speaker A: Yeah. Yeah. Like I said, I have a feeling we could be talking for hours and hours. [00:45:25] Speaker B: You might have to have to do someday. [00:45:27] Speaker A: I was just gonna say that we [00:45:28] Speaker C: could do it specific. [00:45:29] Speaker A: Yeah, yeah, absolutely. Yeah. Now, this has been terrific stuff. DJ people didn't lie to me at S4. You're a good podcast guest. [00:45:37] Speaker B: Thanks. [00:45:38] Speaker A: So you've proven to be a good podcast guest. And I know that my friends now are not liars. So win, win. Thanks so much for being on. We really, really appreciated your time. A lot of eye opening stuff in there, so great. [00:45:50] Speaker C: I know I can tend to ramble, but I really appreciate the questions and your time today. [00:45:53] Speaker B: That's great. [00:45:54] Speaker C: Thank you. [00:45:54] Speaker B: D.J. [00:45:55] Speaker A: stephanie, I told you she was gonna be good. Really good stuff. You know, I always write down something somebody says that I'm like, I wanna talk about. And I wrote down like four different things. But I'm gonna go with one of the last things she said, which is I love the idea of. Although she didn't like it at first. Make an audacious goal, I think, I mean for. Not just for cybersecurity, but whether you're talking about manufacturing, whether you're talking about life. Stephanie like the idea of keeping simple achievable goals. You don't get anywhere. And so I know an audacious goal can actually be. Be somewhat daunting, but it sets you on a path to try to accomplish that audacious goal. It's like the early days of NASA. We're going to try to do this thing. It sounds crazy. And then you work toward it. [00:46:44] Speaker B: Yeah, well, the other part of that was invest in learning so you can have this audacious goal. But really if you don't, you know, make that investment in people and learning to get to that next level, you're just gonna, you're gonna be stagnant. I think so, yeah. So much great information. Like, I just feel like we just, just had a masterclass in cybersecurity. I feel like we need to invite DJ back because there's so much more to talk about. [00:47:10] Speaker A: So I just want to spend like a whole podcast talking about her theater background and she wants to talk about your food truck. So we got a whole, we got a whole other thing going on. [00:47:18] Speaker B: Your commercial career. [00:47:19] Speaker A: That, that was wonderful and productive for everybody involved. Now that was a great one. You know, I geek out about cybersecurity, so that was a fun one for me too. Thank you everyone who is listening. We appreciate you guys out there. I have to say this. Contractually, please give us a. Like, give us a. Subscribe, subscribe to the podcast. It helps us out. We really do appreciate having you here. For more great information like this, check out our whole suite of sites. Stephanie talked about a lot of those. We've talked about them previously. Whether that's packaging, OEM or engineering.com or consulting, specifying engineer, plant engineer, control engineering, where you've likely found this podcast. A lot of great information there. So as always, thank you for joining us. [00:48:01] Speaker B: Thank you. Please Follow us on LinkedIn, follow our control Alt Manufacturing page, and you know, subscribe to our newsletters as well. So again, thanks for joining us everybody. Have a wicked good day. [00:48:15] Speaker A: Bye everybody.

Other Episodes

Episode 4

November 18, 2025 00:38:13
Episode Cover

Ctrl+Alt+Mfg: Ep. 4: Making Digital Transformation Real With Alicia Lomas, Lomas Manufacturing

Digital transformation is everywhere — but what does it really mean for manufacturers? In this episode of Ctrl+Alt+Mfg, hosts Gary Cohen and Stephanie Neil...

Listen

Episode 15

May 04, 2026 00:43:58
Episode Cover

Ep. 15: Industrial AI’s reality check, with Josh Peeno of JPeeno Innovation Group

In this episode of Ctrl+Alt+Mfg, Josh Peeno, P.E., joins the conversation to explore why so many digital transformation and AI initiatives in manufacturing fall...

Listen

Episode 2

October 21, 2025 00:30:13
Episode Cover

Ctrl+Alt+Mfg Ep. 2: Uniting Disparate Data With John Lee, Matrix Technologies

In this episode of Control Alt Manufacturing, hosts Gary Cohen and Stephanie Neil sit down with John Lee, senior manager of manufacturing intelligence at...

Listen