As a rule, I like to work out an idea over year. Explore this aspect. Explore this other aspect. Have discussions with folks in the know and folks who are learning, and come up with yet another take. And I do this, year after year, getting a firmer grasp on the theory and strategy behind a particular security problem.
This year? It’s been the operational technology behind food production. I’ve explored this three ways:
Food Fight. The first few Food Fights were interactive question-and-answer sessions at BSides events. These described the problems we see in the food production industry, and explore how to assess them technically. I gave these sessions at BSides Indianapolis, BSides Chicago, BSides Cleveland, and BSides Detroit. Then, at CircleCityCon, I gave Food Fight on the main stage. To get a sense of this talk, watch BSides Cleveland’s recording.
Food for Thought. While Food Fight is more technical, Food for Thought is more governance. The talk explores operational technology from the perspective of risk management. It’s describes shining a light on the OT risks and integrating the findings into an overall security program. I gave Food for Thought at the Central Ohio InfoSec Summit and the North American International Cyber Summit.
Guarding Dinner, or, Lunch. There’s technical vulnerabilities. There’s cyber security risks. So, now what? The Guarding talk covers several steps organizations can follow the prevent attacks on industrial controls, such as those found in food production. I use a threat model as the foundation and walk through the defense. I gave this talk at MCRCon and as the lunch talk at GrrCon. Watch the GrrCon Lunch talk here.
I’m retiring the series of talks. It was a good way to have conversations around industrial control systems. And we’ve used the lessons learned, both in the original case study and in creating these slide decks, with several manufacturing clients. With that up and running and the knowledge out there, I’m moving onto my next area of interest.
Sneak peek: it’s strategically using encryption, building on past work with threat modeling and business analysis. Stay tuned.