#66: Aaron C. Crow: OT and Product Security (Special Episode)
In this special episode, David and Shlomi, hosts of the Left to Our Own Devices podcast, sit down with Aaron C. Crow, a seasoned Cyber and Strategic Risk leader with 25 years of experience. Together, they share valuable insights on OT and product security, while also exploring the future direction of the industry.
This episode is a republish from Aaron’s own PrOTect It All podcast, where it was originally released.
About Aaron C. Crow
Aaron Crow is an executive leader with more than 20 years of experience in the technology field. He has expertise in technical architecture and design, data migration, network and application security, major network system rollouts, reorganizations, and technology refreshes. Aaron has an analytical mind that enables him to quickly grasp new concepts and communicate technical details to both technical and non-technical audiences. He builds consensus for reliable standardized deployment of enabling technologies by building strong relationships with management teams and staff members at all levels. His extensive leadership skills enable him to influence others while maintaining focus on his objectives.
A Summary of Our Conversation with Aaron C. Crow
In a special crossover podcast episode, David and Shlomi from the Left to Our Own Devices podcast and Aaron C. Crow, host of the PrOTect It All Podcast, engage in a dynamic discussion about the future of operational technology (OT) and product security. Joined by David from Cybellum, the trio dives deep into the intersection of OT and IT cybersecurity, sharing their extensive experiences and perspectives on the evolving threat landscape.Aaron introduces himself as a seasoned cybersecurity expert with 25 years of experience across both OT and IT domains. He has worked at Fortune 100 companies, been a CTO at a cybersecurity software company, and held roles at big consulting firms. His background allows him to see the cybersecurity landscape from multiple perspectives. Shlomi, on the other hand, shares his experience in branding and strategy, having spent the last decade as a consultant at Deloitte and now leading Cybellum’s branding efforts in the product cybersecurity space. David also adds his perspective, having worked in various cybersecurity roles across multiple industries, most recently focusing on product security in the automotive, medical device, and embedded systems sectors.
The conversation quickly moves into a reflection on how cybersecurity has evolved. Aaron recounts how cybersecurity used to be an afterthought, with many companies assuming they wouldn’t be targets. Today, however, the threat is universal, and no organization—big or small—can afford to ignore cybersecurity risks. The trio discusses the changing face of cyber threats, pointing out how technological advancements have enabled a wider range of attackers, including small-scale actors in remote areas who now have the capability to launch sophisticated cyberattacks.
David raises an interesting point about how the expansion of the internet and communication technologies has broadened the pool of potential attackers. What was once the domain of nation-states or well-resourced organizations is now accessible to anyone with a computer and an internet connection. This democratization of cyber capabilities has made defending against attacks even more complex.
Shlomi adds to this by sharing a story about how his increasing involvement in the cybersecurity space has opened his eyes to the many incidents that don’t make the headlines—attacks that are thwarted due to advanced cybersecurity measures. However, he acknowledges the countless unknown potential threats that could exist in the gaps left by current cybersecurity defenses.
The trio explores the convergence of IT and OT security, noting how the lines between the two have blurred over the years. David and Aaron emphasize that while OT systems used to be considered secure simply because they were isolated from IT networks, this is no longer the case. Aaron recounts his early experiences in power plants, where firewalls were considered sufficient protection. Now, the conversation has shifted to more complex approaches like secure remote access, network monitoring, and data analysis.
The discussion also touches on the challenges posed by legacy systems, particularly in OT environments where some systems have been in place for 40 years or more. Aaron explains that while it may not be feasible to replace these systems, organizations can still implement mitigating measures, such as isolating vulnerable systems or monitoring them for unusual activity. This approach allows organizations to address vulnerabilities without requiring costly or disruptive system replacements.
Shlomi and David bring up the importance of focusing on product security, particularly in industries like automotive and medical devices, where the stakes are incredibly high. David highlights the role of governments and regulatory bodies in pushing organizations to improve their cybersecurity measures, whether through the recent Cyber Resilience Act (CRA) in Europe or the FDA’s stringent requirements for medical devices. Shlomi points out that many companies are now being driven to implement cybersecurity programs not just out of concern for potential hacks, but also due to the risk of regulatory penalties.
Aaron agrees, noting that regulations have been a key driver in industries like power utilities, where non-compliance with cybersecurity standards can lead to significant fines. He explains that while adding cybersecurity measures may not always improve operational efficiency, the financial risk of non-compliance often makes it necessary.
The conversation takes an intriguing turn when the group discusses the role of artificial intelligence (AI) in both defending against and facilitating cyberattacks. David shares a sobering story from a recent conference where it was revealed that generative AI had been used to simulate cyberattacks that caused physical damage to critical infrastructure, such as pumps and pressure gauges. This opens up a discussion about the potential for AI to revolutionize both the offensive and defensive sides of cybersecurity, making attacks faster and more sophisticated, while also enabling more efficient defense strategies.
Shlomi poses a thought-provoking question about whether nation-states might eventually need to create air-gapped, or completely disconnected, critical infrastructure systems as a backup plan against cyberattacks. Aaron acknowledges that while this may seem like a logical step, the complexity and cost of such an undertaking would make it difficult to implement on a large scale.
The episode concludes with each participant sharing a defining moment from their careers. Aaron reflects on how his willingness to take risks and step into roles beyond his expertise helped shape his career. Shlomi shares a personal story about how he pursued a dream of recording music with a legendary producer, teaching him the value of taking bold actions. David recounts an eye-opening moment during a laser eye surgery, where he realized firsthand the importance of securing medical devices.
In wrapping up, Shlomi and David provide a call to action for listeners interested in learning more about Cybellum and their work in product security. Aaron also shares details about his consulting firm, Morgan Franklin, and his podcast, Protect It All, which focuses on IT and OT cybersecurity.
This engaging discussion highlights the evolving landscape of cybersecurity, the convergence of IT and OT, and the increasing role of AI in both attacking and defending critical systems. The episode emphasizes the importance of collaboration, regulation, and forward-thinking strategies to stay ahead in the ever-changing world of cybersecurity.