The Lock & Key Lounge — An ArmorText Original Podcast
Welcome to The Lock & Key Lounge, the official podcast from ArmorText, the leader in secure out-of-band communications. Each episode brings you into the conversation with the sharpest minds in cybersecurity, law, critical infrastructure, intelligence, and government. We go beyond the headlines and vendor buzzwords to unpack real-world challenges—from incident response and cybercrime innovation to legal landmines, boardroom decisions, and threat intelligence at scale.
Pull up a chair, pour a drink, and join us as we explore what it takes to stay resilient in a world where operational security, compliance, and communication have never been more intertwined.
Available wherever you stream your podcasts, or right here on ArmorText.com.
The Lock & Key Lounge — An ArmorText Original Podcast
Podcast#14 When Food Stops Moving
The Cyber Risks We’re Still Ignoring
In today’s episode, we’re diving into the quiet crises already happening in the fields, warehouses, and distribution networks we depend on every day—and why so few in cybersecurity are paying attention.
From the $400M breach you didn’t hear about, to the operational systems federal policies refuse to name, Kristin helps us connect the dots between food, resilience, and the future of critical infrastructure.
Hello, this is Navroop Mitter, founder of ArmorText. I'm delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, ArmorText.com, and listen to them on your favorite streaming channels. Be sure to give us feedback.
Matt Calligan:Welcome back to The Lock & Key Lounge. I am Matt Calligan, and joining me today is a guest that isn't just raising the alarm, really. She's actually in the middle of the fire at the moment. Kristin Demoranville is the CEO and founder of AnzenSage, a firm dedicated to securing the systems that grow, process, and deliver our food. She's a recognized leader in OT security. And her writing has challenged both policymakers and cybersecurity professionals to stop ignoring the operational risks inside food and agriculture. So in today's episode, we're going to dive into this quiet crisis, really, that's happening not inside an IT office space or a data center. It's actually happening in the fields, and warehouses, distribution networks, things that we depend on every day but don't realize it. And more importantly, we're going to focus on why so few in cybersecurity seem to be paying attention to this issue. From the $400 million breach you probably didn't even hear about to the operational systems federal policies refused to name, Kristin is helping us connect the dots between food resilience and the future of our critical infrastructure. Kristin, welcome to the show.
Kristin Demoranville:Thanks. Pleasure to be here.
Matt:Absolutely. So we're going to—I kind of gave an intro of what we're going to focus on. So I—and I know we don't have a ton of time today. So I'm going to just dive right in here into some of the bigger questions, ‘cause obviously we eat, everybody eats. This is arguably one of the most critical infrastructure industries out there. But a lot of folks, being on the cyber side, don't quite get how those things connect, right? And so, I'd really like that to be the binding theme here. So we're going to really talk first about sort of how this risk is underrated. So, if that's cool with you.
Kristin:It’s totally cool.
Matt:So you have said—I’ve read a lot of your stuff—and you’ve said before that agriculture has treated like almost like an afterthought in national defense conversations. So what makes the food system so vulnerable and possibly ignored from certain perspectives when it comes to cybersecurity?
Kristin:Yeah. I think what it really comes down to is we have the most complex system on the planet, which is our food supply system globally. And because—
Matt:We being the U.S. or just in general?
Kristin:No, the world. It's the most complex system we've created. We did it our—to ourselves. And it's interesting ‘cause as I'm—I’m writing a book, obviously, a, you know this. But it's Securing What Feeds Us. And it will be out next fall. So a year from now. But in doing research for this, I really dug into how we came to where we are right now with that. And it's super fascinating. It's kind of wild, actually, to think about that we went from people who were in a cave that were like eating raw meat ‘cause that's all we could get or twigs, to having this entire system that entertains and is part of our religious experience and moves food from one end of the world to the other. It's crazy. The thing we didn't do was, originally, we used to protect our silos and our other food sources physically. We used to have guards out in front of them. You think about wars, whether you're Roman or something like that, or the Greeks. They’d had guards posted. Well, we start using tech.] And the problem is that I think tech is really super misunderstood in general. And I know you're totally going to echo this in my—what I'm about to say—we just didn't realize that it wasn't made securely, and we didn't realize that you have to do other things around it to make sure it wasn't part of the attack vector. And I think with food, it wasn't that it was forgotten necessarily. It was just, like you said, an afterthought like, oh, well, we automated all of this. Maybe we should have added security. A lot of people like to point fingers at the legacy tech, and you and I are both OT people, and we know the legacy tech is just here. It's going to be here until—
Matt:It's always there. Yeah.
Kristin:Yeah. And I don't think blaming it is the right thing to do. You just need to work with it. And it takes a certain set of skills to be able to work with it properly. The other thing is, the food and agricultural sector is about natural cycles as well as systems thinking. And systems thinking isn't a normal person thinking structure. We—not everybody thinks in systems, and not everyone thinks about if something happens at 2.00, something's going to happen at 7.00, if you want to look at it like that. And it's really difficult to understand how the system will break very easily, how fragile it is, because it is held together with bubble gum and shoe string sometimes, and duct tape. And I really—I get frustrated when I hear interviews or read articles about people who say that the food and agricultural sector is an easy target. I want to make it very clear that it's not that it's easy. It's just the hackers and the bad actors and the nation states and every other bad person out there has realized how complicated it is, and they've taken their time to learn it, and they see the vulnerabilities, and they're going for it. And a lot of people thought that nobody would ever touch food ‘cause everybody's got to eat, including all the people I just mentioned—all these bad people. And it doesn't matter because disruption pays out. If you can disrupt an industry that is dependent on spoilage or any type of we got to get it immediately—food security issues, that kind of thing—if people are going to pay out real fast. Right? So really, what it comes down to is it's an industry that hasn't—is underserved for sure in cybersecurity—but also it's an immediate reaction type industry because, number one, its budgets are small. Everything’s forecasted and—
Matt:And just in time.
Kristin:Exactly. Just in time. And if you have something that is—if it spoils off the line or if it's livestock that can't get to distribution in terms of its processing, any of that—what slows down cold storage, you're going to have people absolutely clamoring to pay it and get rid of it, the situation, and move on with it. And I think that's why we've seen an incredible leap in the last—since 2020, really—of just an explosion of attacks on the food and ag industry. And this is just what we know of, though. With all the stuff that's unknown is happening very frequently. And I think I saw a stat recently that the agricultural sector went up almost 101% in cyber attacks in the last few years. That tracks right for me. But yeah, it's such a interesting industry. And then if you want to take it from one other angle—a little bit more of an outlier angle—‘cause you know me and my disruption outlier vibes.
Matt:Yeah. Totally.
Kristin:And the food is emotional. It's religious. It's cultural. It’s—
Matt:It's tied to so much identity.
Kristin:So much identity is tied into it. And now that we have a global climate change situation, food is dwindling in certain areas that it would be normally very plentiful. And we're having to figure out what that means to identify, let's say, breakfast without orange juice, as an example. Because oranges are hard to grow now in certain places, as a random example. So we also have that component that's attached to this. And the hackers or the bad actors know that as well, and they're using that too as a tactic. It's just social engineering 101, really.
Matt:Do you see—this is a—this is kind of a maybe not a curveball question, but something we hadn't talked about previously. But the—I was talking to—I was at an energy conference, and we were talking about the crank path. And that means a big generator needs a little generator to get it started. And it was very OT, obviously very OT focused. But one of the things they said is that—you mentioned how hackers are learning our system—and this echoed what I saw in this energy conference, where they were talking about how the hackers have learned what the crank path is. So they're not hitting the big generator. They’re—because that's super guarded—they're doing is hitting the small generators that would support it. Right? Do you think this lack of visibility in some of these attacks and sort of threats—is that because they're focusing on the things that are just off that radar, from your perspective?
Kristin:Yeah, that's actually a really good point. That's—yes. And I think that's why the dairy industry has been getting punched the hardest right now. They are the most automated and most connected, and people don't realize what they don't know. Right? If you get a system installed and you're not a cyber person and you're a dairy farmer, you're not going to pay attention to the fact that you have a default password or—you—your updates are being done automatically and you have no control over that, or you have a new intern that plugged in a USB key and you don't know why, but you didn't bother questioning it because that person's trusted because they're there. There's a lot of taking advantage of people, I guess is what I'll say. And their insecure behaviors, not because they're insecure people and they don't care about their facilities and their operations. They already are wearing 15 different hats, at least within an hour of their starting shift. So adding that next layer of cybersecurity is really daunting, especially since we've done a super great job in cybersecurity—of the describing what we do.
Matt:Making it approachable.
Kristin:Oh yeah. And—I—they really think that we're hackers and hoodies just sitting in mom's basement in the dark.
Matt:Because most people are—they—that's the thing. You walk into a SOC, and they're all wearing hoodies and the lights are out. I mean, they kind of reinforce it a little sometimes.
Kristin:Yeah. And I really am trying to drive the narrative that that's not it anymore. And it's so interesting to me, too, because you got to remember the median age of a farmer is somewhere between, I think, 55 and 65 is roughly their age. And that's the highest demographic of scams right now, whether it's text or phishing or emails.
Matt:Oh, yeah. Across the board.
Kristin:People are inherently trusting in that bracket of age group, and especially if you come from an agricultural community where community is super important and that trust and community is super important. Well, why wouldn't you trust this text message? Why wouldn't you know? And most farmers or agricultural or even food—like it was. And I know you know this, but that big breach where everybody's passwords and usernames basically got popped, including their email addresses a couple months back, that's going to affect them. I mean, I'm still getting text messages that annoys the absolute hell out of me. But I can't imagine being a farmer in a cab, and somebody wrote a perfectly enticing text that says, hey, such and such, such and such happened. You have to react now to pay this invoice. I could see them going into a bit of a panic mode based on that, because they—everything is immediate ‘cause they're dealing with life and death every day. And if you tap into that—
Matt:Or something that would cause a cascading failure of now we got to throw out 100,000 gallons of milk or something.
Kristin:Yeah. And then—so if you could pile that on top of different aspects of agriculture, it creates this icky feeling around cyber, right? In this icky feeling around these scam people. And it—I don't know what to do. And it's so overwhelming, and it's frustrating. And I think we have to really do a better job of attaching cybersecurity to things that are important and priority In each of our sectors. Most of the time, OT we can attach to safety, right, ‘cause that's paramount. No matter what facility you walk into or what you're doing—safety, uptime, whatever you want to call it—it is all there. So if you can attach cyber to those concerns, just rolling into your safety check or something like that, people are a little bit more agreeable to it. But if you have to create a whole new separate thing, people are like, get out of here, I don't have time for this. This is stupid. And I think that we just have to kind of approach it differently. And this is another reason why I feel like food and ag has been left out of the conversation a lot, is because there just aren't a lot of people that understand it, especially the subtle nuances. The—and I'm not saying that people don't understand agriculture or food. I'm just saying that blending in the hybrid skills that are needed together, that's rare.
Matt:Yeah, yeah. You don't find—it's cyber as an industry hasn't. And I'm not saying this like an accusatory, but just for lack of a better phrase, it hasn't done a good job of bridging the gap between themselves and other non-techie industries. Right? There's this sort of an insular culture. Not necessarily—I think it's changing. A lot of folks, I think, are realizing that they've kind of—the pendulum swung a little too far. But you're—to the perspective of a 55-year-old or 60-year-old who's most of the time is in boots and overalls—that, yeah, it's a complete disconnect.
Kristin:Yeah. And also, cyber is fairly newish, right? It's only been around for, like, what, 35 years—maybe 40 tops. I don't really know what the whole age is there, but I can tell you that that's not—that that's pretty young compared to a lot of other industries, right?
Matt:Compared to food.
Kristin:Yeah. So it's kind of like, well, what do you know, young whippersnapper—kind of comes into play.
Matt:That's right. Yeah. Well—so kind of unpacking this specifically, because obviously our audience is technical. What are the technologies that are out there in modern agriculture that are core to this, that you see impacted by these—whatever you want to call them—hackers or what have you? What are they, and what happens when they're compromised? Talk about a little bit more specifically how that can hurt this cascading failure.
Kristin:Sure. I would say to any OT professional, the majority of the equipment that you see in your day to day—minus specific tools that do specific jobs—are going to be in food and ag. I mean, the big players are all there. And there's a few others that are in the mix, obviously, like tractor brands and things like that. We're not going to start naming brands. We'll be here all day.
Matt:Right.
Kristin:Let's take the easiest example. I think most people can visualize this pretty well. Let's take a dairy milking parlor. They tend to be circular. The cows—a lot of them—will wear some type of wearable tracker on their body, whether that's a collar or some type of other tag. An ear tag as well. Those are also quite popular. They're RFID or they're IoT. And a lot of these cows can actually go in and milk themselves. So if they feel like it's time—I want to go get milked—I'm going to walk in, and I'm going to get milked because these little sensors kick off the machine via their tag, which I think is fabulous. Now the farmer is completely removed from the situation in a way. Right? The other thing, too, is they are all run by PLCs and ICS. If they have similar screens—if you ever sat on a production line, ever—you know those small little windows that are in a silver box. I'm sure everybody's picturing one in their head now. They are literally like that. They have big red buttons—it's really very simple.
Matt:Hit them with gloves.
Kristin:Yeah, exactly. And what happens is the software that's on that, obviously, is from the vendor. And unfortunately, that has been getting popped because it is connected to the internet. Whether that is due to the IoT-ness or the vendor wanting accessibility for maintenance—both probably are a concern. The other thing that's interesting, and a lot of people didn't know this until there was a ransomware attack that hit in Switzerland at a dairy farm. Ultimately, the dairy farmer did not pay the ransom, which is fine and no big deal. We don't—I'm not judging either way. But he lost access to the cows' health data in real time while that happened. So not only is it connected to the parlor, but it's also connected to all those tags that I was talking about. So when you lose access to that, you obviously can't monitor to see if your cows are in distress. He did have a pregnant cow in distress. She lost the calf, and then they had to put the cow down. So the amount of money that he paid the veterinarian and the clean-up of the machine—essentially, they rolled it back and restored it—was the same amount he would have paid for the ransom. So it’s pretty wild. Like—and it's—and actually, I—when I first heard that story, I was so infuriated just by the stupidity of the situation and how it shouldn't have happened. And nobody understands how everything is interconnected. And this is—except for the hackers—it seems like they're the ones that get it. And it just really upset me that we got all this really cool tech that’s improving the farmer's life and keeping them safe, because a dairy farm can be very dangerous. I mean, these cows do not care about you—trust and believe.
Matt:Yeah, yeah. It's—yes, it's like lumbering cars. I mean, you just—yeah. You just get out of the way.
Kristin:Yeah. If you've got—if you have males as well and that—and you are breeding your herd, that's a whole other complication. We all know—we've all heard stories, I'm sure, or seeing them on some type of video. But my point really is, the equipment that's in there is very much industrial equipment. It's a lot of IoT. We're talking cameras. We're talking sensors for doors. We're talking sensors that kick on for spotlights. We've got all kinds of cameras. Not just like Ring cameras and things like that, but legit cameras all over the facility. They want to know who's driving up because, believe it or not, people just drive up to farms and think that they can, like, "Oh, this is my driveway." No, get off. That’s somebody’s property. You're either going to get bit by a dog or shot. Please get off the property. Not—I mean, that's wild to think about, but there's so many different aspects. Weather devices, soil erosion, drones. Drones are used heavily in agriculture now because it's much easier to send a drone up to check and see if how a crop is doing, if it needs water or some pesticide, rather than having to go lumber out into the field and figure out what's going on.
Matt:Row by row or something.
Kristin:Or you have to spray everything because that's how it's done. Now you can actually do spot spraying, which is keeping workers safe as well, depending on the type of crop. It's really fascinating stuff. I mean, on a sci-fi-like geek level, it's awesome. I—so cool.
Matt:There's a—yeah. There’s a lot going on that’s tech.
Kristin:Yes. But ultimately, it's a lot of the similar things that we deal with in a facility that's more controlled, you know? Except now you're dealing with natural systems, and things are a little bit more out of control, and moving, and very mobile.
Matt:Right, right, right. And industrial at the same time. What's—what are some examples of—maybe—what am I trying to say here. Examples of breaches that we are familiar with. We can go—have made some public and splashes a little bit. Talk a little bit about how it's kind of under the radar. But what are some examples that you can point to recently that are kind of evidence of these behaviors?
Kristin:So the one that always gets brought up is JBS. And it's actually really funny ‘cause somebody was asking me the other day—well, was not asking me specifically. Just went out to one of the Slack channels that I'm involved in and said, I don't have any examples of supply chain breaches. And I laughed, and I just put JBS on.
Matt:Yep.
Kristin:It’s like the biggest breach we've had in the food industry. And that was ransomware. And it was nasty. And it was a ten—I'm sorry—11 million payout. And it affected not just the United States, but Canada and Australia. It completely shattered the concept of supply chain for me. USDA couldn't even do pricing of meat for three days because it was so crazy. Australia didn't have meat on their shelves for a few days. It was wild. And there's so many ramifications to that that are still unraveling to this day. ‘Cause let's just talk about the fact that that 11 million was just the ransomware payout. How much was the repair for all of that?
Matt:Oh, god yeah, multiples.
Kristin:That’s—triple, probably that—more than likely, depending on who they brought in for it. It's really—and then on a—on an agricultural side perspective, you have the producers that have sent the cattle to—or yeah, something else. Beef. It's sent the cattle to—I mean, I think also there's some pork involved in this. Sorry. That's why I paused—sent the animals to be processed, right. When those animals leave their facility, they cannot take them back. They either switch the paddocks around. There isn't enough feed to go around. They're not anticipating having those cows be retracted back. They assume those cows went to end of life. And when they couldn't process and slaughter those animals, there was no secondary—or third even—holding pens for these animals. They were stuck in these transport vehicles. And we all have seen them driving, whether it's a semi or a lorry, whatever you want to call it. They—those animals are packed in there. So now you've got stressed-out animals that are—it's—biological things are happening in there, and it's a lot of stressed-out meat, essentially. So on top of that, some of that byproduct, if you will—they couldn't even use some of those animals. And so it was more of a loss. And then how devastating for the farmer who spent all that time, all those years raising that cattle up to make it the best quality he or she could possibly could, and putting all the love and effort into it. And then that happened because of a cyberattack.
Matt:Yep. Yeah.
Kristin:That—that's just upsetting all around.
Matt:If you draw—I mean, there's a lot of parallels to JBS and Colonial Pipeline, which everybody knows about, right? I mean, Colonial Pipeline—everyone talked about it and finger pointing. And, I mean, I know that there's been massive debates about the regulations around cyber being more poignantly enforced. It really ignited an entire conversation under—kind of—they’re organized under the TSA and everything. Did you see something similar with the JBS hack?
Kristin:I think people sat up a little straighter in their chair and realized that, oh, maybe we should pay attention to it. And then a lot of people, I think, there's probably a crunch moment and, oh, maybe we should do something. But really, ultimately, nothing changed considerably. There are several organizations that do trace back their security hardening and posture to that incident, that they became more aware of it. But the problem is, there's still a disconnect with how cybersecurity interacts in the food and ag industry, and how people really need to draw the parallels that it's part of food safety now. Even some of the food safety regulation is going to start rolling through cyber requirements as well soon. And they're very aware of it. And I think that's the piece that's really an interesting piece—is how, like you described earlier, that cyber keeps itself away from other silos, if you will. But the problem is, it's—it can't anymore because it's in—it’s completely integrated into things, so many things, so I—
Matt:Much as everything.
Kristin:I think that those light bulbs turned on. I think some organizations, especially the larger ones, were like, oh crap, we don't want to be spending that much money in ransom or anything else.
Matt:And recovery. Yeah.
Kristin:Exactly. But I also know that digital transformation wasn't done with cybersecurity in mind. And certain of these big houses, if you will. And I—and it's very—and nobody seems to have the right information. And every time you ask, people give you 15 different answers. So there's really no consistency in how protection is done. And I'm specifically thinking of chicken houses. Why I say this—because they're all IoT. You push a button, you turn the lights on, turn your fans on. Your turn—you could feed your flock that way, if you will. But as we've already discovered, just from a computer glitch, we can fire our chickens just as fast as we can raise them.
Matt:Yeah, shut the fans off. Right.
Kristin:Yeah, exactly. So—and I think a lot of people who aren’t in food and ag always kind of look at me like I'm some kind of sci-fi fantasy weirdo who just make stuff up on the fly. And I'm not. We already have documented cases of this that aren't necessarily cyber attacks. Anything that it can—that’s outside of cyber—can be mimicked in cyber. We already have that—those examples too—and it's not so far-fetched. And just because movies are lifting from our everyday lives doesn't make us any more valid—invalid or valid. It's frustrating, but a lot of the incidences that have happened as of late, honestly, are only being reported because of SEC guidelines.
Matt:‘Cause of public and trading.
Kristin:Exactly. And if you're private or a small mom-and-pop-type farm, you don't have to say a thing. So we kind of have no idea actually how bad it is, but we know it's bad. That's what scares me.
Matt:Yeah. What's the—so with the way that regulations are deployed, it usually comes down from the top, right? It's—there's nobody ever, especially in private—in a sector where profit kind of drives everything. Nobody raises their hand and, "Oh yes, we’ll gladly spend more money on something we don't have to." So—and obviously, that's kind of framed a lot of your outrage. What you've been focusing on lately is these gaps. The USDA—they just put out their National Farm Security Plan. From your perspective, was that—did that do a good enough job of covering some of these gaps and addressing that? Where—or are there places that we should still keep focusing on?
Kristin:I think I want to be careful, obviously, how I say this, because I don't want to discredit the work that the USDA is trying to do. I appreciate that they are aware of these issues, which is half the battle right there. Let's be real. But the problem is, the focus is—needs to be adjusted. The lens needs to be tilted a little bit differently. I—yeah, sure, go after foreign countries that are doing harm. That's great. And obviously, we all heard about the agroterrorism with the mushrooms and things like that, which was actually a year old before it was reported. And that's kind of wild, actually, to think about how late we were on that one. But that's fine, and I'm happy for that. I—go ahead and deal with the fact that China is buying a lot of our land and all those things. But the problem with that is, ultimately, we know that China's been hanging out in our electrical grid for a while, right. And they haven't done anything yet. They've just been poking around, reminding us that they're there. And occasionally there's a little bug or whatever happened. But ultimately, they need us to keep our power, and they need us to keep farming because a lot of our food goes over to China. So, the idea of them sabotaging us to the point where they couldn't get their country fed is sort of absurd. So I feel like the focus—maybe. Sure. Pay attention. Obviously, this is good. That's great. But also, we need to pay attention to the domestic issues that are happening. We have a complete rise of extreme radical animal activists that are wreaking havoc all over our farms. I have—there is honestly, there is not one farmer that I haven't spoken to that has, A, been a target of some type of activist behavior, or B, hasn't received a death threat. So that's messed up. That's huge. And they're using digital technology to break in. They're flying drones over, and they're taking photographs. They're getting into systems. They're photographing various different types of model numbers and serial numbers. And as you know, default passwords are easy to find online. And it's pretty wild. And then they'll start doxing grandkids of farmers or them. And it's—there's the deepfake issues that are happening now. And we're losing a lot of distrust. We're creating a sense of distrust with the farms, and not just them—to everybody. But the fact that we're viewing them as a little bit weird. So there's this disinformation/misinformation campaign, which is very much a part of cybersecurity and OT. And that’s really driving that up. And I think that we need to have better conversations around that within national security plans, because this is a problem. And then after that, the plan didn't really focus on anything to do with OT. It was 100% talking about cyber. And that's great. I mean, that's fine. We can talk about cyber all day long.
Matt:It's critical, sure.
Kristin:Sure, but there's only so much you can talk about in cyber because all the food and ag is OT, except for like email systems. And even then, I would probably debate that a little bit. But I think we really need to have a different conversation about that. And when I wrote that article—and trust me, I sat on it for a few days before I actually pushed—I actually got called up by the states, and they said—by the emergency management groups—and they were like, thank you. And then I had other conversations with other divisions of the government that were like, thank you for saying the things we can't say right now ‘cause our hands are tied, and we really—‘cause everybody's focused on other things. Right? This is not priority, and for good—for whatever you want to say about that. I'm really concerned that until something really severe happens, like something that's 15 million times worse than JBS, nobody's going to do anything. So if I could be the one person that throws my hand up and says, hey, can we just take a look at this and have a different thought about it—maybe use some system thinking, maybe some critical thinking, some other things? Maybe we can get through that, and I really hope that sparks conversation and dialect and at least a pause like, hey, maybe we should have included OT, and maybe we should have a better conversation of—around the farmers, because they didn't. It was written in a boardroom. They didn't talk to the farmers. I mean, you could hear that very clearly in the—I mean, you and I have worked with consulting firms for a long time. We know what that is. So.
Matt:Well, there's—so you—the conversation clearly needs to evolve here. That’s—and one of the challenges in just about every critical infrastructure industry, you've got the folks that are in the room, and they're oftentimes—they're at the top end of the barbell from a revenue standpoint, from a coverage, whatever. Utilities in a generation, whatever measurement you want to have—banks and dollars invested. There's sort of the large groups—the in the large industry components—that have the money and have the time and the subject matter expertise to be in the room when this is happening or having this conversation. But then there is the vast majority of entities, in the thousands sometimes, that oftentimes aren't in the room, but they're the ones that are—they're the ones that represent the widest surface area of attack. Right. And conversation is a critical thing. There has to be an evolution in that when it comes to bringing in those small and mid-sized produce—producers and having a different conversation. What would that—what would you—who do you see being left out? In some industries, there is a focus of bringing both that small side—those barbell industry sectors, right—the large and the small. Do you see that playing out in agriculture as well? Is—are the folks being left out in your view?
Kristin:I think at this point the communities and the private sector are doing their best to bring everybody in. I don't feel necessarily like anybody is totally left out unless they choose to be left out, because there's plenty of opportunity to be part of think tanks. They're talking about it at ag conferences, every food safe conference's talking about cybersecurity now. I mean, even zoos and aquariums, with the work I do there, they're talking about cyber now. There's so much chatter about it. What I'm wondering is, what's the next step? What's the actionable items that are going to come from this? Because it's great that we're talking about it. Awareness is key. Everybody knows that. But bringing these groups together and start making decisions—‘cause you said it already, if regulations aren't enforced, nobody's going to do anything about it. Right? And I was—I gave a talk at the ICS conference last year in Atlanta, and I said, we've got to think about things with security built—with security in mind. And some gentleman stood up at the end and said, "Well, I'm a manufacturer, and I'm not going to make my products with security by design because I'm not regulated to," and of course the room erupted in boos. And I said, stop. Don't boo at the guy. He's being honest. Why would he do anything? He's not regulated to do anything. Out of the kindness of his heart, would he spend that money? No, like—and I'm not saying right or wrong or indifferent, but I think we're going to have really poignant conversations moving forward. And I think it will probably be region to region rather than nation to nation, as well as state by state. And that's complicated, obviously. The other thing too is NIST 2 is going to force global companies to actually start dealing with their own team—that the regulation firm AMIA—kind of like GDPR did for privacy. I think we're going to see—and in my mind, I'm thinking about the Jaguar Land Rover issue that just happened, and that came out of—that’s the same group that was hitting all the retail outlets. Right? And—or at least we think it is, I'm speculating ‘cause we still don't know what's going on with that. But if that's true, and that sector bleed over, right, then you would think that there's some overlap here and some learning from different places, ‘cause retail, as much as that’s part of that whole network there, it's also got an adjacent to food. So there's that interesting mix of, well, if retail gets regulated differently, would that force food to get regulated differently? And that's kind of that conversation. So I feel like eventually there'll be regulations that come down, and we'll be able to start having a different understanding. But in terms of threat intel sharing or any of that kind of thing—I mean, you can pay to play if you want for that, but you got to be a company that can afford it. Also, ev—farmers talk to each other, communities talk to each other. And I was having this conversation this past week, actually, about how they still deal with shame. So if you got hit, and you got hit for amount of money, you’re not necessarily going to tell your neighbors about that. You might say, "I had a cyberattack," but you're not going to say it was whatever. And I had to pay that. So we need to—I always say this—we’ve got to move past the shame aspect. It's like, yep, the house is on fire. Let's go put this house out. We can deal with our emotions about it later. It's fine. And I think because farmers specifically put everything into their operation—mortgaging the house, putting leans on things—and it's such a you go—just pray you breakeven kind of business. Not a lot of people make money in farming. It's not set up to be like that any longer, unfortunately. And it’s—to have something like that hit is devastating, and the attackers know it. So it’s—makes it even more very totally inhumane at this point, in my mind. But it's just different. And I don't know how—if regulations do not bring the ag community and the food community together to talk, and they just make it in their white castle up in the sky, it's never going to hold. And this is something that policymakers need to start understanding. If you don't get down into the dirt, literally put your boots on and get in there, you're never—it's never going to be right. And it's going to make it worse, a lot worse.
Matt:Yeah. There's the—there's a lot of overlap in ag and some of the other parallels I see with some of these other industries that we work in. Do you—from a—we talk about a lot—we're talking about the problem, right? You're saying everybody's talking about the problem. But do you see an effective information being conveyed in a way that's actionable to most—to the majority of the participants in the industry?
Kristin:No, I don't. And—
Matt:Why do you think that is?
Kristin:I think it's ‘cause there's no common language. So—and I always go back to automotive. Automotive was very disjointed for a long time when it came to cyber and OT. And they didn't have common rhetoric until, all of a sudden, regulations came out and they actually had common language. They could say what this acronym was, and everybody knew what it was or what this particular model was. Everybody knew what it was. There's nothing really like that when it comes to cyber or even IT in food and ag. And sure, there's some subtle nuances, and depending on your sector—and if anybody wants to disagree with me, fine. But I'm talking about overall and overarching. You can't really create policy or regulations or controls until you have a common language. That—and I really—that's part of the reason why I'm—like on a personal level, I really would like it to happen, because at least then we can all be talking about the same thing, instead of having to code switch with each other all the time, ‘cause that's exhausting and it’s difficult.
Matt:And it’s—it is. Well, and it breeds distrust. I mean, nothing is more of a—we all know what happens when we talk to somebody who doesn't speak our language, like literally English versus whatever. There's someone—if there's someone that we need to work with and they don't speak our language, it's—it—there's a level of, is this getting through to them? Are they just—are they doing something and actually not—not in—are they not acting in my best interest? And I just can't pick it up. There's a lack of trust that can—that sort of forms when people don't have a common framework to work with. We see a lot of—that's something that is overlooked so often, even in the threat sharing communities. I—when we—when we're brought in to start a community, I will tell them technology isn't the thing that's going to save you.[00.39.03.23–00.39.25.15] The trust is what's going to want to make this community actually function. They've—and to your point about the shame—people who have a community that they know and trust feel more comfortable by talking about those kinds of sensitive things, as opposed to trying to just put a—there's a polish on it. And it's also—it hurts the other people about them. I—do you see an opportunity, I guess, where in the industry is the work being done to create this framework? Do you think it's a top-down kind of thing, or do you think there's an opportunity for the people at that—at the edge, out in the field? Do you think there's an opportunity for them to create that framework?
Kristin:I don't think they've got time. They’re too busy feeding the world. Let's be real. So, I do think that it's going to have to be—the top is going to have to initiate. We're going to have to have a baseline-type policy. This is your minimum requirements, right? And then everybody else can build off of that. I mean, that would be ideal. Do I think that there has to be a middle-type ground where somebody else creates it and then it becomes adopted? Possibly. That could also be a very interesting moment. Do I think that there might be—it might come from the top-type companies first? That's also possible. They could regulate down. I mean, they're really good about doing that right now anyways. So maybe. But I wonder—I just sometimes I wonder if it's even—if even the farmer really needs to know that, per se, right? So there's a certain level of responsibility that has to be around the ag tech companies and the different devices that are putting into the field. Regulating them, I think, makes more sense than regulating the farmer.
Matt:Yeah.
Kristin:You can mandate all you want that you can't have default passwords and it can't be like corn one two three. That's whatever you want to say. But if you have more tight security around the actual tech that's in the field and on the line, I think that's going to make more of a difference. I don't think that anybody who's in a life and death type situation—if they're crab farming out in the middle of the sea—they're going to be like, "Oh shoot, I need my two-factor authentication right now." You know what I mean? Like—
Matt:Right. Yeah.
Kristin:So I think a lot of it is going to be really role-specific and really driven by what is going on and how it works in the environment, and how we can keep it secure without hurting anyone and keeping that safety aspect in place. That's going to be interesting, ‘cause I don't really think any industry has that completely right yet. I think that there's still a lot of complications there. And also, you were making it—you reminded me when you're talking about how even if someone doesn't speak the same language as you, I watch body language a lot ‘cause it's always about people and process, and we can't exactly watch everybody's body language all the time, right, ‘cause that doesn't work. And we can understand their process up to a point, but if we don't have any understanding of what it's like to stand in their shoes doing what they're doing, then that creates a conflict as well. So there has to be this almost reverse way of writing policy around this, in a way of, like I said, going after the ag tech companies first, but also creating security awareness that isn't burdensome for these type of industries—that it's just rolled into their every day. You know, it's just as simple as putting on your boots to go out into the yard kind of thing. And I do think that as a society we're getting to that place now because tech is so prevalent. But you can't really talk about AI and agriculture without someone asking you what it is, because they—AI is artificial insemination. So we already have acronyms for things that are the same as our world. So I really think that it's so important for people to understand. And this is just more of a layman's kind of conversation now, where I think it's really important, as consumers, that you understand where your food came from. And don't tell me, "Oh, I got it from the grocery store." Yeah. Okay. Got you. And or—
Matt:Kudos. Nice work. Yeah, I mean, that's great. It doesn't come straight from the farm to the grocery store. Not necessarily. A lot of times it's held over in a warehouse. Sometimes it's trucked across the country, sometimes it's flown in. It just depends. People need to understand how big their global food supply is and how it's not just because you're craving some specific snack from Japan, ‘cause trust me, I get that. But it's about where your food is coming regionally. And if you ask anyone in emergency management in local, they don't know. And so now you've got a whole other set of issues that are now becoming—are coming out, where if you have a regional rock like we had with the distribution for Whole Foods and Whole Foods and Amazon, which was what, the UNFI breach? UNFI? Mhmm.
Kristin:Yeah. And that one was really interesting because it didn't fly under the radar, per se, but it definitely wasn't like big news. But that also ‘cause the news cycle is like, what, a half a second long now. But that was pretty disruptive because I actually knew people who saw there was empty shelves. I had people that couldn't get a birthday cake for friends when they were there at the grocery store. People panicked because we all still have pandemic fatigue. So when you see an empty shelf, you just—you kind of have this PTSD moment. So—and trust me—the hackers and the bad actors and the threat actors are all using that leverage emotionally, because then we’ll act and do things.
Matt:Yeah. You get people emotional—they make bad choices.
Kristin:Yeah. Exactly. And that's the trick—is not to get emotional about things. If you see something that you don't understand or you read something you don't understand, you have to—if it has caused an emotional reaction, you need to calm down for a second. But that breach was really frustrating to me because it only impacted a certain region. And then I have—I had other people who told me that, "Oh, I don't feel like the government needs to be involved in something like this, and I don't think people need to panic about it ‘cause it was just temporary." And people can get unsalted butter instead of salted butter for a week. Yeah. Okay. Sure. If you want to look at it in the terms of the big scale—absolutely. It's really not that big of a deal. But what if that was insulin? What if that was baby formula? What if that was critical food that's needed for whoever and whatever? And if it—if again, if hackers figured out how to disrupt here, they're going to figure out in other places. And this is why I also watch the pharmaceutical side too, because they’re connected to me in ways as well. And it's so fascinating. I think there's so many subtle nuances to the food and ag industry. And I think this is the overarching message I definitely want the listeners to hear. There's stuff that you don't even know that happens in the food industry that I'm just learning about myself as well. Like insects. And I know everybody's like, "Oh my God, what the hell is that?" Not eating insects. Everybody relax. It's the fact that food waste is food stock for flies, and those flies are super important to the animal production side of the house. So, like, chickens, right? You have to feed chickens these particular flies. They have different nutrients in them that have been engineered to keep chickens, for example, from not cannibalizing each other in enclosed space. Right? ‘Cause chickens are just little raptors, and they're crazy.
Matt:They'll eat whatever.
Kristin:Yeah. And—but the fact that they've thought about—you have—you can give the flies to them live or freeze-dried, or they're kind of like—make this like crispy rice—crispy-like fly, and I'm just like, what. So fascinated. But then I thought to myself, what if somebody went in there and messed with the ingredients in those flies, and they went out to the chickens, and then those chickens were processed, and then somebody got sick or we got a foodborne illness. And I just—what—there's so much minutia of—and room for error here. That’s the stuff that keeps me up at night.
Matt:Yeah. And there's—with OT is a—IT is a system built on data, right? OT is always systems built on systems. You have layers of systems. And one of the things with IT—it's much easier to often kind of identify when someone's messing around because there's something coming in and going out. But with OT, you can—the whole live-off-the-land strategy is something that you can make slight adjustments in something that nobody even knows to look for, that, given enough time, create a cascading problem into other systems that depend on it. And then, like you just said, if you're able to inject some sort of disease or illness into one aspect of this, that then creates this can—contagion across the livestock area or something like that. It's something you have to—it's real, right? There—there's things—
Kristin:Yeah. We have plenty of examples of it. I mean, there's a chicken plant with the chemicals that were introduced that shouldn't have been. There's the allergens that were changed by a disgruntled previous employee at Disney who was just convicted a couple months ago. There's so many different things—yeah.
Matt:And they're all connected. They're all connected through—in technology and cyber. It's all that aspect of those things can be done and nobody even knows it. What—I mean, from a framework standpoint here. And it will—I know we've been chatting for a bit, so we'll wrap up—but it sounds like—do you think there's a—there's an opportunity, if you were to kind of just sort of wish into existence the right framework? Is there—is the framework one where it's sort of two-sided, where the more technical and regulatory stuff is focused on the large side and more community-based outreach stuff is focused on the small? Or do you think there's an opportunity for those—both ends of those—to come together? Is there an opportunity to connect them to—together to create something out of that?
Kristin:I think that, more than likely, the regulations will start on the larger side.
Matt:Oh it has to.
Kristin:Yeah. It's just also—it's where the money is too. And they can hire the professionals they need to do it, or the—or even bring them in-house if they want. I do think that their risk models are a little easier to understand in some ways. I—obviously, smaller facilities—that would be easier as well. I'm thinking of small greenhouses that could be easier to regulate with all the IoT because it's contained. The problem I said at one point during our conversation here is that everything in agriculture is moving. It's moving—physically moving—whether it's weather-driven, or it's an animal, or it's a predator, or it's whatever—everything's moving. And how do you write policy on moving things? That's hard, ‘cause the transportation sector doesn't really have major policies in place either. So, I mean, they have stuff, but it's different and complicated as well.
Matt:But it's interconnected at the same time.
Kristin:Correct. And it's hard to deal with two. So I think what's going to happen is—it would be really great if we just had an over-generalized cybersecurity structure and guideline for each country or the world. That would be fabulous. I'd be thrilled with that. Then we can build off of that. If this is my utopian world and—
Matt:Yeah, yeah.
Kristin:Do I think that we need something like NIS 2 in the States? Or we can learn from what happens with it in Europe? Yes, I do. I think we need an OT-related type policy. And then from there, you can sector—you can do different sector files from it. You could create or you can bolster up what's already there for different industries that already have strong regulations. I think that we’ll see water get regulated before ag and food, which I don't think is incorrect. I think that's great. I—we are very close to them. What works in water might work a little bit well in ag as well, but—
Matt:Yeah, similar structure.
Kristin:In terms of community coming together. I do think that the private industry, the academic research hubs, the think tanks—I think that they're going to come together and kind of have their own agreements around it. I don't think it would necessarily be formalized, but I think everybody's going to understand, hey, you need to change your default passwords. Hey, I think you need to actually have someone look at your OT systems and make sure that they're connected properly. I think you need to make sure that you shut your barn door literally. I think there will be industry best practices that will just come out of word of mouth. That's how farming has been forever, right? That's—someone down the street gets something new, and they like it, and someone tries it, and the next farm gets that kind of thing. We've shared farming techniques since the dawn of eating, really. I think that that is going to help—that word of mouth, that community drive. But ultimately, it's going to come down to, honestly, probably the next nasty breach we get noticed. And—I don't want to be that person. I don't want to be that doomsday crier necessarily, but we're kind of overdue for one. I am—I'm very nervous about it in general because I don't want to see people get hurt. And I'm worried about that part, and the food safety aspect and foodborne illness side. ‘Cause it's—everything’s so fragile. It’s—everything’s so fragile. So I would really like to see an overarching OT policy. That would be great. I'm sure some of the OT experts around us would probably disagree with me, but that's okay. And then it would be nice if we could actually see proper segments drill down by sector, since we have 16 of them, and go that way and that route, and then get best practices across the board. I mean, every critical infrastructure is somehow interconnected. There's no reason why we can't have best practices run across all of them in some capacity.
Matt:Yeah, absolutely.
Kristin:And the agricultural industry specifically actually really has an interesting tie around the rest of the sectors. I did a talk about soybeans and how soybeans basically are part of every other critical infrastructure sector. And it's wild because it's in everything. It's part of everything. And if we lose that, then what are we going to do? So I'm hopeful for the future. I should make that very clear. I'm hopeful. But I do think that this is going to come out of private and maybe state-based as well. It could be state regulations here. I also think the pressures from NIS 2 are going to really come over here ‘cause we do have a lot of global companies.
Matt:Yeah, yeah. For sure.
Kristin:But we'll see what happens.
Matt:Yeah. From a cyber perspective, what would you tell—for somebody who wants to engage more meaningfully in this from a cybersecurity perspective with food and ag as a general—where would they begin?
Kristin:First of all, they should go talk to a farmer and go—and also go thank that farmer for whatever they do. I do think that getting to know your agricultural community around you—‘cause you got one, even if you're in a city, there is one outside of the city, possibly some urban farms inside. Getting to know that aspect is really important ‘cause it helps you understand your supply chain locally. That's huge. A lot of people can’t say that. Get out and start to see that, and start to see how systems work with each other. Volunteer—I would say you can volunteer. Make sure that your farmer vets you, though, because they really need to do better vetting. You never know what whack job is going to come out of the farm and make it hell for them. The other thing too is, if you can, also offer and volunteer your services for cybersecurity. If you have a good relationship with your farm neighbors or any of the farming community in general, you can offer up, "Hey, if you ever have a question, you want to know if something's a scam or something happens, just let me know. I'm willing to help." I think a lot of this is going to come down to community and showing that we are there for them. And we're not just there to sell them $100,000 worth of consulting.
Matt:Right. Right.
Kristin:I think that having that communication set open is super important. And then the other thing too is, a lot of universities are doing research around this in the agricultural groups. And I think, if you really want to nerd out and read some white papers, there’s a few out there. Not many, just a few handful really. But just getting to know the information as best you can, and constantly asking questions. And then, please, for the love of God, when you go to an infrastructure conference—whether you're OT or not—say something like, "Hey, I didn't hear anything about food and ag. Why aren't you talking about that? I didn't even hear water. Why aren't we talking about water?" And I'm not—again, I love my oil and gas people. I love my energy people. Love all of them. But good God, aren’t we all tired of talking about you? Can we talk about water and food and ag? ‘Cause God knows we talk about that all the time anyways when we're eating. So—and if you do work in food production, get to know your food safety teams, your quality teams, your food defense teams. It's important that we break down those silos—literally and figurely. All the puns, Matt. All the puns.
Matt:All the puns are there. Man, so many layers.
Kristin:Yeah. And just really have that different conversation. And I—what I'm finding, the more I chase my curiosity with things, the more I open up to how big this—these systems are, and then these micro subsystems. We live in a really amazing world. We really do—that people can think, "Oh, we've got to—we got to farm sustainably our salmons." So we're going to create these farms that are all run on IoT, by the way. In fact, they have cameras that feed the fish. It's crazy how it works. And—but the fact that we're not protecting it with security in mind is very frustrating to me because it's counterproductive to why we're doing it. So that's—the more you can know, the more you can start turning on your OT brains and your cybersecurity brains and start really thinking with that risk lens, I think the better it will be. We need more diversity of thought here. We need more people to come together and think about it in different ways—of how we can be secure without burdening the people that are doing the work so we can stay fed.
Matt:Yeah, yeah. So, final question here. As a fellow member of the Beer-ISAC, I feel compelled to ask you this. So, in a scenario where you spent a long day meeting with folks in overalls and boots, just trying to convince them about cybersecurity and discuss these new ways of going about it… What's a—what would be a libation you'd go to, to unwind at the end of the day?
Kristin:Do we—is it a seasonal question?
Matt:Whatever. But I have one guy who's literally just can't wait for Oberon, which is a Michigan beer. It only comes out in the summer, so…
Kristin:Oh, all right. Well, I'm not—I'm pretty boring like that. I guess it depends on the day. But for me, it's probably going to be a gin and tonic.
Matt:Oh yeah.
Kristin:And with extra lime. And there's a specific gin out of Ireland that I prefer.
Matt:I was going to ask.
Kristin:Yeah. Drumshanbo. It's the gunpowder one. That's my favorite.
Matt:Oh, yeah.
Kristin:That's the one that got me to start liking gin and tonic so…
Matt:And do you have any kind of crafty tonic with it, or…?
Kristin:No, I just—whatever. I mean, I try to get high shelf, but sometimes you just can't. And—
Matt:Sometimes you just need the beer.
Kristin:I do. I do like the Betty Buzz tonic water. That's—I do prefer that one if I can get it. It’s hard to get sometimes, but I feel like that one isn't—it doesn't take away the flavor of the gin, per se. Also, this summer, I did introduce myself to gin and jam, and which is to take a little bit of jam, whatever you got in your fridge.
Matt:Like strawberry or blackberry or something.
Kristin:Like strawberry or blackberry or raspberry. I think right now I have like boysenberry—I don't know, some weird obscure flavor. And you just put a—like a couple teaspoons in, or whatever you—I usually make two at the time ‘cause I'm making one for my partner, but—and then you just put it in with a bunch of lime—I'm sorry—with a bunch of lemon juice. So, fresh squeezed lemon juice. And then just shake it up with the gin, and then pour it over ice and tonic water on top and—
Matt:Wow.
Kristin:If you got mint, you put mint in there too—whatever you want. But some people put it in the little jars, and they'll shake it in the jar. So, if you're at the end of your jam jar, to shake it in there too. I mean, it just depends on how your mood is. It's your house. You do you.
Matt:I'm going to have to try gin and jam. Not going to lie, you kind of sold me on that.
Kristin:Yeah. It’s—actually, it's super refreshing. And I'm thinking about one now, actually.
Matt:There we go. Yeah. Yeah, exactly. I think I know what I'm going to do next. Yeah. Well, hey Kristin, I do thank you very much for your time. I know we actually went overboard than we did—than I'd even anticipated. So, thank you so much for taking the time to talk today.
Kristin:Not a problem. It's my pleasure.
Matt:Well, folks, thank you as well for joining us on the latest edition here of Lock & Key Lounge. If there's one thing this conversation makes clear, it's—we can't build true cyber resilience from behind a desk. The security needs of agriculture just don't fit neatly into these IT frameworks that we use a lot. And if we really want security for our food systems, we have to close the laptop, put on some boots, literally go meet people out in the field, out in the barns, on the front lines of arguably the most critical industry. Until next time, I'm Matt Calligan. Be well, stay curious, and do good work. We really hope you enjoyed this episode of The Lock & Key Lounge. If you're a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we'd love to hear from you. Please email us at lounge@armortext.com or our website, armortext.com/podcast. I'm Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you'll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.