When it comes to OT cybersecurity, the fundamentals still matter - even in the age of AI.
In this episode of Protect It All, host Aaron Crow sits down with Caleb Davis for a practical discussion on securing industrial environments where uptime, safety, and resilience are non-negotiable.
From legacy control systems and tight budgets to AI-powered threats and open-source security tools, Aaron and Caleb explore the real challenges organizations face every day - and the strategies that deliver meaningful protection without requiring massive investments.
A major focus of the conversation is defense in depth: building multiple layers of protection, fostering trust between IT and OT teams, and strengthening foundational cybersecurity practices before chasing the latest technology.
You'll learn:
Whether you're responsible for manufacturing, utilities, water treatment, energy, or any critical infrastructure environment, this episode delivers practical strategies you can apply immediately.
Tune in to learn how layered defenses, strong relationships, and proven fundamentals create resilient OT security programs - only on Protect It All.
Key Moments:
05:41 PLCs and network security challenges
07:24 Challenges in Updating OT Systems
11:33 Impact of Downtime on Security
16:03 Using affordable cybersecurity tools
19:14 Building Trust in Business Deals
23:01 Security challenges in medical devices
25:49 Trust and IT implementation risks
28:35 Using AI for safer software updates
31:05 Cybersecurity best practices for plants
33:40 Balancing Security Costs and Business Needs
37:50 Nurturing OT like raising kids
41:20 AI and cybersecurity concerns
About the guest : Caleb Davis is a founding member of SolaSec, a cybersecurity consulting firm specializing in advanced penetration testing for embedded and connected systems. Based in Dallas/Fort Worth, he holds a degree in Electrical Engineering from the University of Texas at Tyler and is a patent-holding expert with vast experience in hardware and firmware security. Caleb leads deep technical assessments across a range of high-impact industries, including medical devices, automotive, industrial control systems, ATMs and financial terminals, aerospace components, and consumer electronics. His work focuses on secure design, trusted boot processes, cryptographic implementations, and threat modeling, helping organizations integrate security throughout the development lifecycle and align with industry and regulatory standards.
How to connect Celeb :
SolaSec: https://solasec.io
LinkedIn: https://www.linkedin.com/in/caleb-davis-400439100/
OTPCAP (OT PCAP analysis tool): https://github.com/SolaSec/otpcap
Learn more about PrOTect IT All:
To be a guest or suggest a guest/episode, please email us at [email protected]
Please leave us a review on Apple/Spotify Podcasts:
Apple - https://podcasts.apple.com/us/podcast/protect-it-all/id1727211124
Spotify - https://open.spotify.com/show/1Vvi0euj3rE8xObK0yvYi4
Aaron Crow (00:00): Thank you again for joining me for another episode of the PrOTect IT All podcast. We talked a little bit before we started recording about the irony of how you meet people around the world. I met Caleb while we were in Singapore. Come to find out, he grew up very close to where I grew up in Texas. The town you grew up in, my family has a lake house there. I spent my entire life growing up there. It's a small town most people have probably never heard of, but we both know exactly where it is. It's just the irony of how small this world actually is. So with that, Caleb, it was great to meet you in Singapore, and thank you for taking time to join me again today, man.
Caleb Davis (00:48): Likewise. Shout out to Bird Island and Cedar Creek Lake. Not many people know it, but go check it out. Thanks for having me.
Aaron Crow (00:57): Awesome, man. So why don't you tell the audience who you are, what you do, all the skinny.
Caleb Davis (01:01): Sure. My background is electrical engineering. I spent my whole life thinking I was going to be a power systems guy, spent a little bit of time in that space, and ended up finding software in college. I really fell in love with software and actually writing it, which seems like so long ago. I did a lot of embedded software development for products and saw a ton of manufacturing and different types of environments for all kinds of devices.
From there I got pushed into cybersecurity and offensive security for embedded, low-level parts. I did a ton of testing throughout the US on medical devices and different networks and facilities. And with that, I started a company called SolaSec in 2024, specializing in full-stack cybersecurity. We're very advanced. We do everything from taking apart a chip, looking at the power consumption, and guessing cryptographic operations based on power, all the way up to cloud infrastructures or supply chain, things like manufacturing lines or distribution facilities.
Aaron Crow (02:12): That's awesome, man. It's funny, I also went for electrical engineering, and here I am doing technology and networking and cybersecurity and all the things. It's funny how we pivot. I talk to so many people sitting in the seat across from me, and many times our careers go differently. Having three kids, directing them: hey, you're 17, you don't know what the hell you want to be. I'm 48 and I don't know what I want to be. I'm constantly adjusting and shifting and growing and learning.
The other thing we talked about leads directly into what you're describing. A lot of the OT things in these worlds are really old. They've been around for 30, 40, sometimes 50 years. Or even if they're new, they're not really new. It was designed 20 or 30 years ago. Maybe I bought a brand new SKU, but it's the same PLC guts that's been there for decades.
And when you consider things like Raspberry Pis and all these embedded components coming in: a lot of times, as an end user, I'm going to a vendor and I'm buying a skid. I don't know the components inside the devices. I just trust them. They plug it into my network, it does the thing. But I have no idea of my hardware bill of materials or my software bill of materials, no idea of the components or the dependencies running in that stack, to know whether I'm secure when a vulnerability comes out. And there's really not a whole lot of effort, many times, until something bad happens, to get in front of that.
We know now, with AI and everything else, it doesn't take much for an engineer to take gear like I have behind me and say: hey, AI, this is the device I have. Help me configure it, hack it, find a way around it, I can't log into it. So how are you seeing that in the marketplace? Are people opening their eyes to the vastness of all that is around them?
Caleb Davis (04:24): Yeah, I think so, which is great. Obviously AI and its capabilities are astonishing nowadays, what you can do so quickly, and I think people understand that in the hands of a bad actor that could be devastating. But you hit on it before. The real issue with OT and ICS, and it's across different industries, not just manufacturing, which I'm most familiar with, is that twenty years ago this line was created. Availability is everything. We wanted to get it working. Now don't touch it ever again.
You and I have both had the conversation: we'd love to do some security testing. Okay, great, you've got one minute on the last Saturday of every other month to actually look at the device. This thing has got to be on the entire time, and it's sometimes running critical infrastructure. So you get these stagnant technology stacks and PLCs that don't have any security.
And now you've got this giant ecosystem, and add to that, everything's connected nowadays. You add connectivity to something like a PLC that speaks Modbus and does exactly what it's told, and now you've got major issues that are network enabled on these devices.
So then you start adding some network controls, which is great. That's a good first step that people should do. But my big concern is that there's so much threat surface behind that perimeter defense. We have to start talking about defense in depth of the actual PLCs, the way they're getting pulled into your facility and network, and understanding what the threat surface of this stuff is, because it's pretty significant on most of these things.
Aaron Crow (06:15): Yeah. And if you look at any one industry, and to your point it's across all of them, the 16 critical infrastructures, non-critical things, whatever: you look at wastewater, you look at manufacturing, and the number of assets and devices they have. In IT, I say this all the time, and if you've never worked in OT you may not get this: if I brought in a Windows XP machine and tried to plug it into the corporate network, they're going to be like, no, no, no, don't do that. Here's a brand new laptop. Throw that XP box, take it home, never plug it into this network again.
But you can't do that in an OT world. And it's not that you can't. Yes, it is possible to replace every device in the world with a brand new one that speaks multi-factor authentication and encrypted protocols and identity access management, all the things. It's just not realistic, because there are so many of them out there. You look at one site, they're going to have thousands of devices. And it's not just about swapping one: the logic that goes into it, the interconnections, the dependencies upon it. And I have to do it in an outage, so I have to take my whole plant down.
Coming from software, you understand the technical debt that we have in software development. It's the same thing in OT. We have all this technical debt of things we've handicapped and band-aided and duct-taped and bailing-wired our way through, and it works. Just don't look at it. I remember being in a plant, and there was a turbine vibration monitoring system in its own cabinet, and as we were going around they literally said: don't even lean on that cabinet, because if you lean on it too hard the whole system goes down and it'll trip the unit. I'm sorry, what? Why have we not fixed that? Instead they put tape around it and signs on it that say don't touch it.
Caleb Davis (08:30): Yeah, exactly right. And you hit the nail on the head. In IT it's easy to think about a single device, or at least a single classification of device, like a workstation or a laptop. Patch it. What's worst case? Maybe something goes down for a day for that user. Not really the end of the world.
But when something goes sour on a patch on a critical Windows server running in an OT environment, that gets knocked over, then downstream PLCs get knocked over, then the sensors and actuators down the line. The idea that misapplying a patch to one thing could take down an entire line is not an understatement. It's well beyond a single device, because these things are all interconnected. And to your point, the person that might have installed that system retired ten years ago. We can't talk to them anymore. That's the world we're living in. Then add everyone's connectivity, everyone wants the data available to see the metrics and improve efficiency in their plant.
Aaron Crow (09:45): Well, and along with that is the people side. Everything is people, process, and technology. When I was at the power company, I had a team of about six people. We supported 40 power plants across the state of Texas. As you know, Texas is big. We had them from Odessa to Texarkana, Denton, Sherman, Paris, all the way down to central Texas around Austin. If you don't know Texas, open a map. Odessa is about eight hours away from Dallas, and that's never leaving the state.
So we had a big spread of power plants, and again, six people. My IT counterparts had hundreds of people, dedicated firewall teams, dedicated this, dedicated that. Many times you walk into a plant, whatever kind of manufacturing facility, you've got one OT guy or gal. They're the ones responsible for it. They take their IT hat off, put their OT hat on, then take that off and put their hard hat on and actually keep the plant running. They're only spending part of their time on this, and they're also behind the eight ball because their stuff is so old.
So how do we expect these people to keep up? I've got limited time. I can't patch things because it's old, there may not be patches available. I don't have any budget. I don't have anybody to help me. What can I do when I have all of these things stacked against me?
Caleb Davis (11:24): Right. And something else that to me is incredibly fascinating: there's an understanding of availability. It's the whole conversation we have, it's why we can't patch anything or touch anything. But to me it's always a dropped opportunity for us as security folks not to talk about these things in terms of uptime, because that's what it eventually boils down to. These functional defects, if they're discovered by an adversary, or caused by tampering from a bad guy, or even an insider that doesn't intend it: we're talking about downtime to a plant. And that's the thing everyone can agree on. Downtime to a plant is the worst thing that could happen, especially when we're talking about critical infrastructure, or just the revenue hit when you're not producing your product effectively.
The one OT tester that supports the giant infrastructure you talked about, or a small skeleton crew of folks that understand OT and IT and security and facilities: that has to expand. You're right, there's nothing they can do in many cases without the budget and the personnel they need. But to get the budget and personnel we need, we need to start talking about the right things, which is not this ethereal nation-state type attack. We're talking about real downtime as a result of pretty basic 2000-to-2010-level vulnerabilities applied at scale to things that are, I don't want to be doomsday, but they're kind of sitting ducks. Time is of the essence to get these things patched.
Aaron Crow (13:10): Well, and the other side of the coin: I used to work at one of these really large Big Four consulting firms, you can look at my LinkedIn bio to see where. We did great work, I loved the company and the team, but a lot of companies couldn't afford it. And it's the same thing on some of the product side in OT. You look at some of the bigger players, and I love them, don't get me wrong. We're very vendor agnostic where I'm at, at Arcova; we work with all the players you can imagine. But sometimes you're at a wastewater facility, and they don't have budget for a hundred thousand, or fifty thousand sometimes, for software or hardware. That's their whole budget for everything. They can't spend all of that on a product and have nobody to run it or tune it.
So that's the other side of this coin. The cost-benefit: these folks don't have budgets, but they still need to do something. That doesn't mean you do nothing. So how can they do something in these spaces?
Caleb Davis (14:19): Yeah, that's a great point. And it's funny you bring it up, because we actually just released a tool that's hoping to solve this exact problem. It's called OT PCAP. I'm sure we'll put a link somewhere for this podcast for viewers, but that's the exact problem we're trying to solve. The major billion-dollar organization: absolutely, there are great tools out there. We're pretty vendor agnostic too. Go get one of those tools, you get a ton of real-time monitoring. It's expensive, but it's needed in a big facility at scale.
But for the folks that can't afford that, or the folks trying to get something started, we wanted to create a tool that's really about: hey, go get a packet capture of your network. Set up a span port, go look at what's there, and just analyze it. Look for bad traffic, look for unencrypted protocols, look for these ancient deprecated things that shouldn't be existing on your network.
And the big thing is first knowing where it's at. Then when you go in and start doing the network segmentation, now you're data driven. You're not just isolating things. You're taking a specific, data-driven approach to put things in their guaranteed spot and quarantine them while you have a process to sunset some of those older deprecated technologies. So I think it all comes down to: do something. Use our tool, feel free, it's all open source, it's on our GitHub. But do something to get an idea of what's even out there first. And that could be any number of different technologies and solutions and tactics.
Aaron Crow (16:02): Well, I love the point you're making there. There are all sorts of things you can do. Don't do nothing because you can't afford the big guys. Don't do nothing because you can't afford EY. There are smaller firms, yours, mine, all of these others, folks that have the knowledge. There are open source tools you can use. Use the same tools the bad guys are using.
Am I recommending that you plug Claude into your control system? No, just to be clear, I am not saying that. That doesn't mean you can't use AI and tools like that to help you figure things out. You can take an offline PCAP and put it in a local model. There are all sorts of things you can do. You can find open source tools like the PCAP analyzer you guys have. That's a way to do something, and then you start building and tackling.
I know we talked about this in Singapore. Most of the OT problems: it's that 80/20 rule. I think 80% of most people's problems can be solved with 20% of effort. And most of that 20% is basic stuff. Actually segmenting your network. Making sure it's not connecting to the internet. Making sure things aren't talking that don't need to be. Turn off services that don't need to be running. Change a password on something. Have an asset inventory. Understand what your devices are. What is my firmware level? Update to the latest stable firmware that you can. Little things like that make a huge difference, and you don't have to buy anything. That costs zero money. It just takes time and effort and attention.
Caleb Davis (17:39): Right. And I think a really important thing too is the trust that's required to work closely with the plant facilities team. When you go in there and blindly say it, or take this dogmatic stance of "everything has to be patched, we have to do this broad network scan," and it's going to lead to uptime issues for their lives: that's why, as security professionals, we have to do the work on the front end. Say, hey, we did our homework. These are the types of assets we think are the most concerning. Here's our OT asset inventory, here are our top players. Let's do a more directed effort. Let's do it together.
With that, we've had a ton of success saying: okay, let's just assume network compromise. The easy stuff is great, we should absolutely do it. But assuming that happens, what's the blast radius? Then be a little more specific with the data you gather. If someone's able to compromise this perimeter defense, this system is compromised. So what do we do now? We add additional layers of compensating controls. We isolate those systems. We ensure a compromise of these insecure systems doesn't lead to a compromise of other assets in a similar network segment.
The big thing is we really need to buy trust. And buying trust means we have to do our homework, and we have to talk in the same language, which, again, is really about uptime. That's what we're trying to ensure.
Aaron Crow (19:17): Dude, I say that all the time. I love hearing it, and it's something I think needs to get hammered in. One of the things I say all the time is: you do business at the speed of trust. The faster they can trust you, the faster they're going to allow you in and listen to you.
I've told this story a hundred times. We bought a power plant. Not me personally, the company I worked for. And I was in there telling the guy that manages all the OT stuff about all the cool stuff we do in OT, how we make it more secure, and segment it, and all this kind of stuff. He's just looking across at me, and he's like: yeah, you're not doing that here. Wait, what? He was completely against it because he didn't trust me. He'd had other people like me come in, promise the world, and it ended up breaking, and he had to undo it or support it.
It took a long time for me to actually build that trust. I built it by connecting with him on a personal matter, but once I built that trust interpersonally, then he would listen to me on the other side, and then I won him over. It just took that much time. It's why I laugh and say: if you're going to a plant and you're meeting with operations, you should be taking donuts, or pizza, or whatever. And it sounds petty, but it's like bringing flowers on a first date. You want to make a good first impression. Show that you appreciate them giving you the time of day to have a conversation.
Caleb Davis (21:00): Yeah. And I would add: if you're in our position, trying to change hearts and minds and improve security, don't have these conversations in some random air-conditioned conference room. Go put your steel toes on and get out there on the floor with them. You gain trust because you've been in that situation and you understand the risks.
We've got to make sure we're pushing in the same direction. That's why I keep talking about uptime. We want this plant to succeed. We want it to make money, do its critical function, ship product. We all agree on the same thing. I'm trying to represent a really bad day. I hope it doesn't happen. Well, let's make sure that when a bad day happens, it's not a bad week or a bad month. Let's get back up and resolve it quickly, isolate it, segment it, all the things to recover in case an incident does happen.
Aaron Crow (21:56): I love all the stuff in the background, by the way; the electrical engineering nerd and technologist in me. So what about the hardware side? I know you were in Singapore at DEF CON with me on the hardware hacking side with the medical devices. What types of things are you seeing that people are having struggles with, that you're finding vulnerable and being taken advantage of on the hardware side?
Caleb Davis (22:28): Yeah, it's really interesting. We do a ton of work with different industries and different technology stacks, and we kind of see it all. It's interesting how history repeats itself when we talk about the different kinds of vulnerabilities we see. And as sad as it is to say, OT is on the complete tail end of that, for the reasons we've already talked about.
More in the actual device manufacturing space: we're starting to see things that were historically academic, theoretical, or incredibly complicated to attack become much easier, obviously with AI, and there have been other technological improvements. I think there are major technological advancements on the horizon that we should start considering now.
But the biggest thing, especially with devices and products that are designed, put on a circuit board, and shipped out: the issue we run into all the time is that they're shipped with a certain level of security, and then security moves much faster than that device lifecycle. We've had issues where someone goes through the whole process of getting an FDA submission, and their device is end of life before it even gets to the point where it's on the market. Now we're starting from behind the eight ball, because there are all kinds of vulnerabilities and exploits, support's dropped, it's just a different world.
We're starting to see advancements on the medical device manufacturing side. But that problem, I haven't even really heard it talked about on the OT side of things. Like you mentioned before, it's really about: what is a plant familiar with? What do they have good contracts with? What can they get parts shipped immediately for and get turned on? It's all about availability and uptime. So they pull it in and inherit all of the technical debt as soon as they do. And there's no consideration of what an attack vector on this network looks like five to ten years from now. It's not even part of the conversation half the time.
Aaron Crow (24:27): No, it's not. I told you I was in Ohio last week, or the week before, all my weeks merge together when you travel like we do. I'm at this facility, I don't need to say what it is. They blow stuff up and they dispose of things, let's just put it that way. I'm walking around, and we're grabbing data, putting sensors out in places so we can map the network and understand what's going on. We're tracking down all the different spots. There's this one cabinet, and we're trying to find an available port in the switch. There are no available ports in the switch, but there's another NetGear sitting right below it. And it's just a hub. One they probably went to Walmart and bought, because they needed more port density. So that's what they did.
And that happens so often. It doesn't just happen with a networking switch. It happens with a computer, a monitor, any number of things. And it's not that they're dumb. It's not that they're malicious. It's that it's two o'clock in the morning, the site's down, and the IT guys are going to say: yeah, order one, I'll get it to you in 30 days, or a week, or two weeks. No, I need it now. I can't wait a week. They don't have inventory on site, so they don't even call anymore. They just go to the local store and buy whatever they can get, or they go to their house and pull something out to plug in, because it needs to work. The plant can't get up and running because this thing is not working.
And the flip side: once it's in there and it's working, they're not going to remove it, because it's working. If I take it out, it's going to break. So they just leave it, and it's just there now. Getting it out after that is going to be really hard.
That goes back to the whole trust thing. If they had a trusting relationship with their IT and their supply chain, they could potentially get something, or maybe they'd want to swap it out. But many times they just put it in and go on about their day. They just brought all of these risks in with that thing they plugged in, and they don't even realize it. Because as we know, there could be backdoors, it could be pinging out. They don't understand what they just did unintentionally.
Caleb Davis (26:48): Yeah, exactly. And you bring up an interesting point. It's trust in the other direction too. What should happen is that once we get enough trust to actually build a robust OT inventory, we understand the assets that are out there. They may be insecure, and we can work to fix that. But day two or three of that endeavor is backup solutions, standard operating procedures: this is what happens when this thing goes down. And that's where IT folks and more OT-centric people can be super productive, because these are all problems we've solved. We just have to apply those solutions to the OT space.
Again, it takes trust. We have to be trusted as the OT professionals and the OT security folks, and they also need to trust that we're going to produce good standard operating procedures to help them keep their plant running without introducing all this shadow IT and all the technical debt and risk associated with it.
Aaron Crow (27:51): So are you seeing the futurization of components, and how do you fast-track that? You just mentioned: I design a chip or a widget, especially in medical devices. How are we able to keep up, as fast as things are changing, when it takes so long to get things FDA approved and through all the checkboxes to actually be produced? By the time it gets there, it's end of life. That's insane. How much money, time, effort, engineering, R&D, and now you've got to scrap it?
Caleb Davis (28:29): Yeah, it is insane. And it's a really tough question, because these things do need to operate. A medical device is a great example. OT is similar. A medical device could be implantable, obviously implanted in a patient for years. You don't want to introduce extra risk by pulling that out. OT is risky too, not as risky as that, but it's the same idea: you don't really want to touch it again. The problem is that you have to.
Honestly, to answer your question, we have to get better about designing a mechanism, even like a digital twin or a replicated lab simulation type environment, leveraging the beauty of AI and all the great progressions there, to really have a better understanding of our infrastructure so we can test things in a realistic enough fashion. That way we can be very specific and tactical about what we're trying to do, and when we start deploying patches and updates, it's less risky inherently. That's the culture we have to get into: actually touching these things more consistently, which means we do our homework, understand what they are, and how we're actually improving the situation.
Aaron Crow (29:49): Man, there are so many problems. Obviously it's job security, I guess. It's not going to go away. We're not going to replace all the devices. And as soon as we do: you saw the Mythos thing come out. Just because it's not vulnerable today doesn't mean it's not vulnerable. It really just means you don't know it's vulnerable today, because there's never been a time where something is secure. The only way it's secure is if it's turned off and unplugged and no power and sitting in the corner.
The analogy I always give is your house. I have a front door. I can put in the most expensive steel door, reinforced, laser guided, all this kind of stuff. But given enough time and opportunity, somebody can get through it. It's inevitable. You can drive a truck through it. I can go to the back door. I can dig underneath. I can go in from the roof. There are all different ways I can get through, given enough time and opportunity.
It's the same thing with cyber. If I can constantly sit there and try passwords and it's never going to lock me out, I'll eventually guess your password. It may take me a long time, but eventually I'll catch it. That's where quantum speeds those things up. And that's why you need complex passwords: if your password's five characters, it doesn't take that long to guess. If it's 20 characters with exclamation points and all the things, it's a lot harder.
Caleb Davis (31:25): Yeah. And I would advocate as well: it's defense in depth, and don't be a soft target. Don't put some janky PLC that has all kinds of unauthenticated protocols and FTP completely on the edge and leave it open. Do the basic stuff, like you always say. Secure that, don't be a soft target, and then understand defense in depth. Assume a compromise of a perimeter firewall: what's the worst thing that could happen? What do we do? What's the backup policy? What do we do to deploy a patch? What do we do to maintain the safety and reliability of the actual plant if something were to happen?
I think that's the conversation, because you and I certainly would not suggest spending your way into oblivion and making a plant completely unusable. We're not going to get any trust like that whatsoever. It's about what we do in bite-sized pieces, and how we integrate into plant operations to do this in an effective manner. Because, again, it's time sensitive. These things are kind of out there as sitting ducks right now. It's urgent, but we can't push everything all at once. That's the balance we have to strike as OT security professionals: do this systematically and with intent.
Aaron Crow (32:49): Dude, you hit on something right there that I call out sometimes: the fact that I can over-secure something so much that it's unusable. If I make it so complex that the process fails and the users can't actually use the thing. Again, imagine a door. Imagine if I had so much security to get to my front door that there were 34 locks, and you had to have a password, and you had to give blood, and they had to take your EKG. Do I want to do that every time I walk in the door, for every person that comes in, with their different keys and biometrics? No. You need to make it as simple as possible while still securing it.
And the flip side of that coin is cost. I can over-secure something, I can gold-plate something. But let's say a site makes ten dollars. If I make security thirty dollars more expensive, they just lost all of their revenue. It doesn't even make sense to do business. Just close down. If I make the security cost so expensive that they don't even make profit anymore, then of course they're going to choose to not secure it. If I secure it at the levels you're recommending, I can't make profit. I might as well just close the business.
So you've got to understand, as cyber professionals: you can't just walk in with security at all costs. There's a time cost, there's an ability and availability cost, and then there's, as you said, understanding the process and that trust cost. This is our business, and this is how it functions. And if it doesn't function anymore, then it's not a business.
Caleb Davis (34:45): Yeah. And that made me think of something as well. I run into a lot of conversations, and I'm sure you do too, where it's: okay, let's get to this level of maturity, and then we're good. We've reached the maturity. Awesome. Making sure that's not the goal, right? The goal is a mature process for adhering to risk. You already talked about it: the threat landscape is moving a thousand miles an hour right now.
If you don't integrate that as part of your process, and you don't constantly make sure you're at a security maturity level in terms of the actual threat surface of your infrastructure, then you've missed the mark. That's not what maturity looks like. Maturity looks like a process for adhering to risks that change, because they're changing every day. That's an important takeaway for organizations. And it's frustrating, because you'd love to just buckle down, get all this stuff done, redo a plant, and say: okay, great, this plant's secure, now don't touch it for twenty years. Unfortunately, that's just not how it works.
Aaron Crow (35:59): Yeah. And we have to understand those things. This is the funny thing I see with folks that work with me, when we walk into these places and they say: this is what you have to do. And I'm just like: yeah, no, they don't. They don't have to patch it. They don't have to get rid of the Windows XP box. And the fact that you're so offended that they have Windows XP tells them everything they need to know: that you have no idea how their business works. And if you thought that was the worst thing we're going to find here, you're sorely mistaken. Many times it's way worse than that. The fact that you're getting all hot and bothered because there's a Windows XP box in the corner tells them everything they need to know: that they can't trust you.
Caleb Davis (36:44): Yep. I mean, it's definitely bad. I don't want to go on record saying I would advocate Windows XP boxes by any means. But if you want it to ever change, you have to go about it the right way. And to your point, being dogmatic about something as basic as a Windows XP box: that's not the way. That's not the way to make any changes actually happen.
Aaron Crow (37:12): You know, I had a heated conversation with a guy when we were in Singapore. He came over and was looking at the OT wall, and we got to talking about open protocols, and why aren't they using secure protocols. He had been in OT in his past, and he was just flabbergasted that we still use open protocols. He's like: well, it's been 20 years, why haven't they solved that? I'm like: no, no, time out. We have secure protocols. OT uses secure protocols, just not always. And he was like: but why?
I tried to explain it to him. First, sometimes you need availability, and sometimes that encryption process can take too long and it breaks the process. But let's get beyond that. Let's pretend you could do it. I said: OT is like your three month old baby. You know it's vulnerable. It can't change its own diaper. It poops itself. It needs to be cleaned. It has to be fed. You put it in a crib that locks it up. You put monitoring on it. You know it can't take care of itself. That doesn't mean you throw the baby away because it can't take care of itself. You know that about it, so you put all these other things around it to monitor and take care of it, and somebody's watching it and feeding it and burping it and checking on it all the time.
That's how we should treat our OT. And that's not to degrade OT like it's a baby. It's an analogy to show: I know these vulnerabilities, I know these limitations, I know these things are there. How can we protect it anyway? We do it with babies all the time. I've got three kids, and somehow now they can change their own pants, they can make their own food, all the things. They got through that stage because I protected them in that space so they could grow up and do it on their own.
And that's how we should nurture our OT environments: knowing that I can't boil the ocean. I can't just replace my three month old with a 20-year-old. I have to grow it into a 20-year-old. Most of our OT environments are that baby, and we need to mature them, and it's going to take time.
Caleb Davis (39:22): Right, I agree. And the part that makes our jobs very complicated is that it's still vulnerable. At the end of the day, it's vulnerable until the point that we secure it. So the solution is not being dogmatic. The solution is exactly what you're saying: cultivating a culture of trust to actually make those changes. Because they're just sitting there right now, all vulnerable, wallowing in their open protocols. That's the world we live in.
Aaron Crow (39:57): It is. And it's fun. I love what we do. I think we've made a big step from an understanding perspective. More and more folks really see what we're doing and how we're doing it. More people understand that OT is a risk. More people are talking about OT than 10 or 15 years ago, when the term barely even existed. Those are all good things. Unfortunately, I still see budgets lacking or lagging behind in OT. They're improving in some organizations, but others are still struggling.
But that's why I do this podcast. That's why I bring people on like you, to have these kinds of conversations about what the downfalls are and what things you can do. It's not the end of the world. You can do it on shoestring budgets. You can find products like the ones you guys have, for companies that can't afford the big guys. That doesn't mean you can't do something. Grab their product, plug it in, start seeing what's there, do some analysis, and make some simple changes that get you maybe out of the diapers and into training pants. Take those baby steps, literally, to get yourself into that next maturity step.
Caleb Davis (41:13): Yeah, I agree. And I appreciate this conversation and what you do in the OT space, because I think this is ultimately what changes hearts and minds: more people talking about it and being pragmatic about the actual solution as well. So thank you for having me, and thank you for the work that you do. I know you're over at the ICS Village all the time at DEF CON, so I love to see you guys every time I'm out there, and I'm looking forward to it again this year.
Aaron Crow (41:38): Yeah, man. So let's go with the question I ask everyone. What's the one thing coming up over the horizon that's maybe concerning, and what's one thing that's exciting that you see in our space?
Caleb Davis (41:51): Ooh. Concerning has to be just AI. Mythos, I know everyone's tired of talking about it, but it's less about Mythos and more about just the acceleration of vulnerability detection with AI. And obliterated models, the ability to just run whatever you want without guardrails, is extremely scary in the hands of anybody, much less an adversary that actually wants to cause harm. That's absolutely the thing I'm most concerned about.
And excited: I think in general, people are starting to see it more. I've been in this for a while now, and I remember talking about cybersecurity more like I was an insurance salesman, no offense to insurance. It's hard to tell people that these things exist. Unfortunately, sometimes these actual events and major reputable hacks push people in that direction. But I think people see the technological improvements and advancements over the last couple of years, and they understand that security is absolutely something we should really care about, and it's hitting every industry. I don't know if I've seen the same level of vigor regarding security in my whole career. So I'm excited to see that. Hopefully it continues to progress, because it's going to be necessary with the changing landscape of adversaries and threats.
Aaron Crow (43:17): Yeah, for sure. AI is usually the answer. It's not wrong, though, because it can be the good and the bad, both sides of the same coin. We have to use it, because they're using it. If we don't, they're going to use it against us, and we're going to be behind the eight ball.
Aaron Crow (43:30): All right, so what's the call to action? How do people get a hold of you? We'll put the links in for things, but definitely talk about the GitHub, your OT PCAP, whatever you want folks to know about you guys and your company.
Caleb Davis (43:50): Yeah, sounds good. solasec.io. We post blog posts talking about stuff we find interesting. LinkedIn: Caleb Davis on LinkedIn as well. And then we're at all these conferences, so we love just talking to people and meeting face to face. By all means, swing by. Obviously go check out the OT and ICS Village if you're ever at a conference where they're at. And I spend a lot of my time in the Biohacking Village. We've got some cool stuff planned for DEF CON this year as well. Any of those things, we'd love to meet up with some folks in person.
Aaron Crow (44:26): Awesome, man. Well, hey brother, I appreciate your time today. I'm sure we'll see each other since we live pretty close to each other, and we'll both be at DEF CON and all the things. So thank you for your time today, and keep up the good fight, man.
Caleb Davis (44:39): Yes, sir. Thanks, man. Appreciate you having me. Have a good one.
Transcript lightly edited for readability.
Subscribe to PrOTect IT All and stay ahead of the threats targeting critical infrastructure.