Ep. 016 - The Double Andrew Rose Special: Insights on Cybersecurity in AgroFoods
Show Notes:
In this special episode of the Bites and Bytes Podcast, host Kristin Demoranville is joined by two cybersecurity experts, both named Andrew Rose, for an insightful discussion on the intersection of cybersecurity and AgroFoods. Andrew Rose, from the UK, is currently the Chief Security Officer (CSO) at SoSafe and formerly the CISO at Proofpoint, CSO at Mastercard UK, and CISO at the National Air Traffic Services (NATS). The other, Andrew Rose, is from the US; he’s an Ag Futurist and a cybersecurity advisor specializing in agricultural production, including advising for BIO-ISAC.
Learn about the critical role of resiliency in the agri-supply chain, the impact of human error on cybersecurity, and the need for education and awareness to prevent breaches. Explore how cybersecurity integrates into food safety culture and the importance of building security into agri-tech products. The discussion also covers emerging cybersecurity trends, the role of government agencies like the FBI, and the global implications of food security.
Tune in for expert insights, practical advice, and a deeper understanding of the unique challenges and opportunities in agri-food cybersecurity and this critical infrastructure.
Also, Happy Pride! 🏳️🌈
-----------------------------------------------------
Episode Key Highlights:
(16:03 - 16:55) National Seminars on Agricultural Security Threats
(19:19 - 20:24) Lessons for Food Industry Cybersecurity
(22:50 - 23:54) Importance of Data Integrity and Availability
(27:51 - 29:22) Social Engineering
(34:03 - 35:46) Food Security and Existential Risks
(39:13 - 40:17) Impact of Global Food Economy
(41:29 - 42:09) Impact of Ukraine on Grain Prices
(49:34 - 51:11) Rising Nation-State Threats in Cybersecurity
(53:13 - 54:22) Importance of Product Security in Agro-Tech
(59:46 - 01:00:55) Financial Impact of Ransomware Attack
-----------------------------------------------------
Notes from the Show:
Reporting Agricultural Incidents (Ic3.gov)
-----------------------------------------------------
🏳️🌈👊⚡️ Pride Merch 🏳️🌈👊⚡️
Bare Knuckles & Brass Tacks Podcast
Learn more about Out in Tech
Learn more about the Scholarship for LGBTQ+ students
This BKBT podcast episode discusses these causes and the Pride Merch Shop.
----------------------------------------------------
Bites and Bytes Podcast Info:
Website: Explore all our episodes, articles, and more on our official website. Visit Now
Merch Shop: Show your support with some awesome Bites and Bytes gear! 🧢👕 Shop Now
Blog: Stay updated with the latest insights and stories from the world of cybersecurity in the food industry. Read Our Blog
Audience Survey: We value your feedback! Help us make the podcast even better. Take the Survey
Schedule a Call with Kristin: Want to share your thoughts? Schedule a meeting with Kristin! Schedule Now
Listen to full episode :
Episode Guide:
(00:00) - Favorite Foods and Food Memories
(07:58) - Tea, Scones, and Security Discussions
(13:24) - Cybersecurity Lessons for Food Industry
(19:54) - Cyber Resilience in Agri-Foods
(27:13) - Critical Importance of Food Cybersecurity
(35:47) - Global Food Economy Security Implications
(40:17) - Global Food Security and Cyber Resilience
(45:17) - Rising Cyber Threats in Agriculture
(56:30) - Cybersecurity Challenges in Agriculture
(01:00:23) - Food Industry Cybersecurity Discussion
-
00:00 - Kristin (Host)
Well, hi, everyone, welcome. I have the privilege of speaking to two you heard that correctly two, Andrew Roses. I'm honored to have them both here. They both have a wealth of experience, so I'm going to quickly jump into our favorite moment of the podcast favorite food and favorite food memory. Andrew UK, as I'm going to call you, you can start.
00:20 - Andrew Rose (UK) (Guest)
Hi there. Thanks for inviting me on the podcast. Lovely to be here. Favorite food is probably lasagna. I do love a good lasagna, oh my gosh, and I'm not sure if this is weird or not, but I do love it with fries, like in lasagna or on the side?
00:32 - Kristin (Host)
No, on the side.
00:33 - Andrew Rose (UK) (Guest)
Okay.
00:37 - Kristin (Host)
So you like, dip it in the marinara kind of thing.
00:39 - Andrew Rose (UK) (Guest)
Yeah, a little bit, a little bit of that. Definitely it's really good, but I do love. Oh, lasagna is my favorite thing.
00:44 - Kristin (Host)
It's shocking that someone from the UK likes chips on the side of the lasagna. Just going to put that out there, Because every time I ask for a side at dinner in my house it's always chips. The answer is chips.
00:55 - Andrew Rose (UK) (Guest)
It really is Well, coming from the UK, absolutely it is, so that's my favorite food. I think my favorite food memory actually relates to what used to be my favourite food, which was pizza. I spent many years as a complete pizza nerd because we used to live in New York and whilst we lived there we went on a pizza tour, and this pizza tour still happens, so I recommend it to anybody who goes to New York.
01:14
Scott's Pizza Tour. I am not sponsored by Scott, but he did do the tour on it and it's incredible. He takes you around all of the old pizzerias in New York and he explains the history behind New York pizza and the science behind it how about the pH of the water, how that affects the pizza and all sorts of stuff and it's thrilling and amazing. And he takes you around and talks about all the different types of ovens and you try a slice in all these different pizzerias so you can compare and contrast. It's an amazing experience. I absolutely loved it. My wife did say that she'd never actually seen me have such an immediate bromance as I did with Scott when I first met him, because I was just like on his shoulder all the time, learning about pizza and hanging out with him, but it was really good. So if anyone goes to New York, I'd definitely recommend that. That's my probably favorite food memory.
01:57 - Kristin (Host)
I'll try to find it for the listeners and put it in the show notes. I've never heard of a pizza tour before Like that. That is interesting. And the fact that it goes into the science of it, that's incredible. It's amazing. Wow, I mean. I think we could probably geek out on pizza then, because that's great, like that's fantastic. Thank you for that and other Andrew.
02:14 - Andrew Rose (US) (Guest)
Thank you for having me here. This is a huge honor. I can't believe that I was mistaken for someone else, but it certainly has aided me here at this point in my life, and then for the two of you. One of the best pizza joints I've ever eaten at is in Vegas. It's called Secret Pizza and there are no signs you have to be able to find this place.
02:32 - Andrew Rose (UK) (Guest)
I've been there. I've been there. Yes, I heard about it. It is weirdest down this little corridor, uh-huh, exactly, yeah, I've been there.
02:41 - Andrew Rose (US) (Guest)
And you only go there after 12 o'clock, you know like 2 am. There's a line out the door, but it's an amazing place. Anyway, my favorite food and the favorite food memory are both linked together, and my favorite food is lobster. I've often thought if I had done something really, really bad and I was locked in a cell and had one last meal to eat on this planet, it would be a lobster and not just a lobster, it'd be boiled in the seawater. From Bar Harbor, maine, when I was a kid I spent several weeks on a boat sailboat off coast of Maine and we pulled into Bar Harbor and you get a $5 lobster and you boil it in the water of the bay there with some clams and other things, a little bit of seaweed and that right there is a memory in itself.
03:15 - Kristin (Host)
I was born in Maine, so like you just touched my heart, like that is it, and and actually the episode before that I just recorded it's probably been released now. We were talking about lobster rolls. So like this is great, like I love that people are into lobster, I'm like, yes, and of course I'm kind of like growing out of it now because I've had it so much. So I completely that nostalgic moment you just described is how childhood was.
03:39 - Andrew Rose (US) (Guest)
And you know we've reached that point in our lives where they will crack the shell for us and take the meat out, so we don't have to do all that work. You know the way. It was very manual back in the day when I was a kid.
03:49 - Kristin (Host)
Yeah, actually, you know, the trick with that is, since you know, I also live close to Maryland, so blue crabs are very popular here. I don't crack shellfish, I just I think I got attacked by like the antenna too many times when I was a kid and I just kind of like am over it. It's just gross, it's a giant bug. If you sit next to people and you ask them what their favorite part of the lobster or the crab is, they will literally crack it for you and hand it to you. So you don't have to do anything. You just walk around the table and be like tell me your favorite part and then they'll give it to you.
04:20 - Andrew Rose (UK) (Guest)
I've tried this multiple times. It works, so I don't have to touch anything.
04:22 - Kristin (Host)
This sounds really weird. I mean it is. It is weird but it's delicious. It really is, and you have to have a lot of butter for the lobster.
04:29 - Andrew Rose (US) (Guest)
Drawn butter with lemon?
04:30 - Kristin (Host)
Yeah, absolutely yeah you have to definitely do that and it's amazing. I actually love steamer clams fried steamer clams with shoestring onion rings or fried scallops and like really crispy fries Like those are like I crave those daily. Almost Can't get them unless you're like on the beach, because you gotta have like a little bit of grit of sand in it, because that's just like the way it should be in like a little gritty sand in it.
04:54 - Andrew Rose (US) (Guest)
Amazing.
04:55 - Kristin (Host)
It's like childhood, all over again, thinking about it. Oh my goodness.
04:57 - Andrew Rose (US) (Guest)
Well, I do have a bonus answer to that one too, because I was on the fence.
05:01
The other thing is I love scones.
05:03
Two years ago I spent six months working from the road just to see if I could pull it off working little tertiary towns, and when I go into one of these small towns across the US, the first thing I try to do is find a coffee shop a local coffee shop and get a cup of coffee, and if they have a scone, I buy a scone.
05:18
And then I listen like a thief to the conversations around me to get a sense of the vibe of the town. I checked the corkboard out to see what kind of things are being advertised and up there, and after six months of eating scones, I got back and said boy, there's a few of those I miss. I don't even know how to make a scone, and so I went on YouTube and started teaching myself how to make scones, and for the last about 18 months I've been baking scones and people love them. People more than my friends and family love them. So I don't I don't take that sort of feedback with any kind of any weight or measurement of how good they are, but it appears that my scones are a hit, so I'm becoming known for my scones as well.
05:51 - Kristin (Host)
So are you doing the triangle scones or are you doing the circle scones?
05:55 - Andrew Rose (US) (Guest)
Well, you know, yeah, those are fairly pedestrian shapes. I I also like to go to antique malls and I look for the cookie cutters that are deep enough, so I've got any shape you can imagine. I like the hearts a lot because I figure if you make a heart-shaped scone, if someone has a broken heart, you give it to them and they always feel better about themselves. But I've got cats and cows and flowers and stars, like any shape you can imagine. So no, not those mundane pedestrian scones you might find in the stores.
06:22 - Kristin (Host)
That's great. Those mundane pedestrian scones you might find in the stores, that's great. And the biggest question, though, and I know Andrew will agree with from the UK side is it cream before jam or is it jam before cream? Because this could be a make or break conversation right here.
06:34 - Andrew Rose (US) (Guest)
Well, you know how our friends are over the ocean. There they have words for things that are inappropriate. So what they might call a scone, we might call a biscuit, you know, and one might have an egg in it. The other one might not have an egg in it, and I'm not that pure, I just want to go with what tastes best. You know, this is my palate I'm concerned with, so I'm not going to touch that one.
06:57 - Andrew Rose (UK) (Guest)
Well, there's a definite answer to that. Frankly, From an English perspective, it's obviously cream first, jam second, and what we all steer clear of is the tea situation whether you actually put the milk in first or the milk in later, because that's equally contentious but also has a very clear answer from my perspective. It's first. Oh, I just didn't know.
07:15 - Andrew Rose (US) (Guest)
Oh, good grief, yeah, point of no here, being that you were obviously raised in the Southern part of the United States, where sweet tea is the beverage of choice, and there is for a while.
07:29 - Kristin (Host)
I couldn't get behind it. It was too sweet.
07:32 - Andrew Rose (US) (Guest)
Well, the thing there is do you put the sugar in when the water is hot or cold?
07:36 - Kristin (Host)
I don't know. I never made it, so that's a. I have no idea.
07:39 - Andrew Rose (US) (Guest)
Put it in when it's hot, otherwise it gets cloudy.
07:41 - Kristin (Host)
Okay, that's good to know if I ever make it. No, I actually just like iced tea, black. I don't really put anything in it, so, and most of the time it's herbal tea here, except for when the in-laws come over. They usually bring like a huge bag of tea over from the UK, even though we could buy it here, but it's cheaper, so that's where we get it. Of course, a cup of tea is a very complicated conversation anyways, because everybody has their tea a certain way, and if you say I'll take a cup of tea, well to me, what kind of tea do you want? Because I have like 16 varieties at least and it's just a normal cup of tea. What does that mean? So it's always just black tea whenever Tetley's or whenever I've got kicking around the house just makes me laugh, because it's always like this part of like a weird conversation always with tea.
08:29 - Andrew Rose (UK) (Guest)
If you asking a british person about tea and they just say a cup of tea, they mean english breakfast tea, yeah, which is the same sort of standard hot black tea, which is tetleys and pg tips and things like that. If they're going off piste and going for something a bit more sophisticated, like an earl grey, they will specify so yeah, just english breakfast, just default to that and you'll be fine.
08:43 - Kristin (Host)
Okay, I will try to do that. Usually I just throw it in, but you know, my partner likes it very weak and I like to sleep tea bags in because I don't care, it's strong and it's fine. But he's like literally like two seconds in dip and it's like you want a whisper of tea. That's what you should say.
08:57 - Andrew Rose (UK) (Guest)
A whisper of tea.
08:58 - Kristin (Host)
Yeah, there's a lot of odd oddness. I still am learning terms. I'll be honest, I don't. I don't say like like kitchen roll or kitchen paper. I was so confused about that for a long time. It's paper towels, like. I didn't understand. I kept being like why do you? What do you want? I don't really paper in the kitchen. What are you talking about? I'm getting better because now I translate for all my US friends. I feel like that is now my service to the community, as I translate British to American quite often, or vice versa, cause sometimes we say weird things that you guys don't get either, which is fine, which is probably most of the time.
09:31 - Andrew Rose (UK) (Guest)
You just make the whole language up. It's a bit sad really what you've done to it, frankly, but hey.
09:36 - Kristin (Host)
Well, the nice thing is that you can. You can literally insult somebody and they won't even know it.
09:45 - Andrew Rose (UK) (Guest)
Oh, absolutely, it's a very british thing. We can yeah, we can write emails like you wouldn't believe. You'll just get to the end of it and go was that nice or was that really mean? I can't tell. I don't know what they were trying to say.
09:50 - Kristin (Host)
Yeah, because it was written in a british accent, so it's just like oh, it's okay, it's fine, but I love the scone making for you, like I think that's great. And the one question I have about that, though the big one, is what is your favorite type, like kind, like flavor wise, that you like?
10:06 - Andrew Rose (US) (Guest)
um, that is a good question. And I love them all, their sweet scones and their savory scones. My personal favorite is a candied ginger butterscotch scone with, um, a light green sugar glaze on top. That is my favorite sweet. But for savory I go way off the charts. I like an anchovy, sun-dried tomato caper with a pickle cream on top. So you get that sort of punch, that little, that tart bite, and it moves into more of a salty um Yunami flavor. But you get a full, rich flavor and I might throw some smoked cheddar, smoked horseradish cheddar cheese in there too, just to give it an extra oomph. But it's certainly a confusion in the palate, but all of a sudden the flavors dance together and then you're left with this wonderful taste there. But it's. You know, I'm kind of a backyard chef, so it's an acquired taste at times.
10:53 - Kristin (Host)
No, I think that's great. I mean, nobody can see our faces. But both of us were like what You're doing too much? It was what I was thinking you're doing too much, but it sounds like it would be good ultimately at the end of it.
11:08 - Andrew Rose (UK) (Guest)
So I was hoping you'd say something simple like cinnamon chip. No way beyond that. It's taking to a whole new artistry level.
11:12 - Andrew Rose (US) (Guest)
It's incredible, yeah so last night I baked mangoed candy ginger caramel scones with a simple sugar glaze, and then, uh tart, dark cherries dried and really dark chocolate with a sugar glaze as well. Heart shaped for an event tomorrow.
11:27 - Kristin (Host)
Wow, that's a.
11:28 - Andrew Rose (US) (Guest)
That sounds amazing and I have to report back and people liked it, that's wow, Andrew, I will hold you a plate and then, kristen, I'll find a way to get you some.
11:37 - Kristin (Host)
Well, we don't live that far away from each other, so I'm sure we can figure it out. We could have a meeting just to exchange scones. I will not be baking them. I'm not about that measurement life, so I can't do. I don't bake at all. I would rather just throw the ingredients in a pan and make it magical for dinner rather than measure. It was time for measurements. I don't.
11:58 - Andrew Rose (US) (Guest)
I'm going to push back. You're a problem solver. I bet if you put your mind to it you'd be the best scone baker we've seen.
12:03 - Kristin (Host)
I'd have to rival my mother that's a hard one, because she's an amazing baker too, so like and my little sister who makes, like macaroons and all these other crazy cakes, and I don't know, maybe I just don't want to compete with my, my female relatives on that front either, to get into a bit of therapy there. So now that we've talked for quite a bit which is awesome let's do some quick introductions. Andrew, in the UK, I will have you start.
12:27 - Andrew Rose (UK) (Guest)
Okay, so I'm currently the chief security officer at SoSafe, which is a German company which is involved in human risk management. So we talk about changing the behavior and the culture in an organization to really sort of minimize the human attack surface. But I've actually been employed in many organizations before this. So I was the CISO of two very large global law firms. I was the CISO of UK Air Traffic Control, ciso of MasterCard in the UK and also was a Forrester analyst for about five years in the middle. Quite an extensive experience of security in large enterprises and critical national infrastructure, which is what sort of brought me to this topic that we're going to talk about today, really, because I think this topic area is very underserved and under-talked about, which is great that we're talking about it today. Agreed.
13:10 - Kristin (Host)
Thank you, and I love that you've done the airports and the air traffic control situation. Not many people can say that, so I love that you have a uniqueness in your own niche, whereas Andrew and I also have that uniqueness with the food. Andrew, go ahead.
13:23 - Andrew Rose (US) (Guest)
All right. Well, thank you Appreciate that. I am the other Andrew Rose, the US first from Andrew Rose. And, fun fact, there is another Andrew Rose who does cyber, but we'll eventually get him into one of these podcasts. So I am an accidental cybersecurity advisor expert. What have you?
13:42
I was working for a large bank that does agricultural financing and had just come off of helping stand up the Cybersecurity Association of Maryland as a favor to a friend of mine. It's not that I have any coding or cyber background, it's I know how to start nonprofits and write bylaws and put fiduciary responsibilities and governance in there and bring in sponsors. And we hired an executive director, got an office location, got programming up and running and about that time I went over the bank and I inherited a large team that was geographically dispersed and I figured a great way to do a team building exercise was to do a tabletop exercise and since I'd just come off cybersecurity, I figured, well, let's just do a nuclear. Internal disgruntled tech employee that bricks our machines. Internal disgruntled tech employee that bricks our machines, exfiltrates data. You know the whole nine yards. And we ran through that exercise and I won't really go into what our findings were, but it gave us 18 months of work to patch over a few holes that were uncovered. The big kind of one of the issues going into this and for anyone out there listening is we had assumed we had a playbook. We had assumed that, whatever the crisis was, there was protocols and procedures in place to follow through that. And that was the pushback I got when I was pulling everyone together and I said, well, we'll do this for muscle memory, then We'll run through it just to understand what this looks like.
14:53
And then we obviously identified some gaps and blind spots. That gave me a lot of pause and I reached out to a friend of mine who was very high up in the US Cybersecurity Command and said, hey, I'm in agriculture now and I've found something. I'm a little little concerned. Would you, would you look around and just let me know what you see? And he got back to me about a month later with an OS SHIT type of email saying, hey, this is not good. And I and you know I'm just doing this as a volunteer, I'm a regular guys, but I know a lot of people and at the same time and I can share this publicly because there is a YouTube video One of our clients is a very large poultry integrator on the Eastern shore and their contract growers were getting hit by a variety of business email compromises and rerouting transaction numbers and it was in the tens of millions of dollars were the hits and no one knew what was going on.
15:43
No one knew what to do and I thought I'd be a superhero and I'd call the FBI and they would do a YouTube video, a case counterpoint. Here's what you do if this happens, and that was my first experience with dealing with the public facing information from the FBI. There is a process and procedure. It's very difficult it's like threading a needle to get them to say anything in public, but there is a way to do that. I put on a series of national seminars to bring awareness to the ag community that hey, you are a target, this is a threat we need to be aware, and I did those. That was starting in 2016, 2017. And then probably by 2019, we'd done several very large conferences and the time demands for me as a volunteer were so great that I needed to focus on what I was best at. So I migrated from being everything to everybody to focusing on the emerging threats.
16:33
And now and I do want to give a shout out to the FBI. They've been, they've been supporting me the entire time. Whenever I need something, it's there. Whatever information needs to be shared with an audience, a speaker, what have you? They've stood up and, to their credit, they always apologize afterwards, saying we could have done more. You know, and I'm always like well, at least you're there for me. I do appreciate that, but one of their concerns is, when they're called, it's after the incidents occurred.
16:55
So the write-up boom and the lack of preparation by many companies to what that looks like, not to what that looks like. Not only are you dealing with the emotion of it. Why was I attacked? Why was it me? You know, why was I singled out? Now you're going to make payroll with no records. Now you're going to send invoices out with no records. Now you're going to receive invoices with no access to your financial systems.
17:16
So I've been working on small private focus meetings with groups in the agricultural industry about okay, it's not if and when, it's when and again. So let's just start planning for these things and getting ahead of these attacks, and that's my cybersecurity contribution. What I also do, though, to keep my lights on, I work on projects that benefit our species three generations from now, primarily in agricultural production, and a lot of that's technology transfer from other countries that will then benefit soft landing. It'll benefit the US, but it'll also benefit them. And then I also work as a fractional chief of staff for a variety of different companies across different categories, mostly in the agriculture sector, some in the IT sector. So that's a long winded way of saying me. I'm in Baltimore, maryland, so if anyone's out here in the area I'd love to treat you to a crab cake and a cup of coffee.
18:05 - Kristin (Host)
And you're also harvesting or cultivating your own mealworms right now.
18:08 - Andrew Rose (US) (Guest)
Did you tell me that? Yeah, well, to get really hyper-focused in the agriculture production side, I specialize in novel plants and proteins and that's going to be a micro or macroalgae, seaweed, or a microalgae, it's going to be duckweed, it's going to be insects, space agriculture, recirculating aquaculture systems, and I do have an affinity for insects in particular, and of those, I have a real affinity for mealworms. I love the protein emulsification. They're cold-blooded, like the five to nine harvest a year, and they're fun. They're two-dimensional, they don't hop, they don't fly, they don't complain, they don't make noises.
18:45 - Kristin (Host)
They just eat their carrots and apples and whole wheat and just do their mealworm thing, Live their best mealworm life. That's amazing. Thank you both for your introductions. So let's let's jump into some questions that I have, because everybody's probably like well, why are? Why did you bring these two Andrews together? Other than it's fun, because their names are the same. There is purpose actually, because I want to have a conversation more about normal normal, I say in quotations, practices in cybersecurity, but also let's swing in and how it relates to food. And both of them have industrial backgrounds. So it works out just for the audience understanding. Andrew, in the UK side, based on your extensive experience in industrial cybersecurity, aka the airports and beyond, what are the key lessons that the food industry can learn to improve their cybersecurity posture in your opinion?
19:32 - Andrew Rose (UK) (Guest)
Oh, gosh, gosh, Ah, there's so many, there's so many lessons. That's the problem. That's, you know, when you look at the control stack that a CISO would look at for an enterprise, there's generally about 130 controls, and however you break it down, it turns out to be about 130 controls, whether it's ISO 27,000 standard or the NIST standards. So there's always a lot to think about. But I think, gosh, there's lots of aspects to think about. One is the evolution that I think we've seen in the industry, moving from IT security, where you're just protecting the box to stop malware getting on it, to information security, about okay, now we've got to protect the value of our information and the integrity of our information. Then moving on to cybersecurity, where it's actually okay. Well, this is going to affect our service and our service is going to be down, so we won't be able to deliver on value proposition.
20:16
Where organizations are moving now is into cyber resilience, where actually, if they have a cyber breach, it doesn't disrupt what they do. And there's certain aspects. There's a chicken growing company that I've been working with as well a little while ago and they were talking very much about how the need for resilience is paramount to them. They need to keep their systems running. They need to keep the whole process running through, otherwise things get pretty horrible. You can't back chickens up and keep them in the same pen longer than they need to be. So I think, certainly focusing about that one. But they had their billing system get some ransomware on this and because the billing system was infected they shut down their operational capability, and that's entirely the wrong thing to have to do. So I think in agri-foods the people that need to realize that the service needs to continue, they need to get sort of, they need to be able to continue to produce and continue to move the produce around and get it to the right place. So they need to focus very much on resilience, or rather sorry, resilience rather than recovery. You know you can't be down for two weeks and then recover it and go. Well, fine, that's two weeks of produce lost. Goodness only knows the impact that could have. How you get around that is well.
21:33
I think you just have to look at all the normal controls that people focus on these days. So how am I going to prevent ransomware? How am I going to keep my network segregated and safe from different external threats? And if we do get a breach internally? How can I make sure that other aspects of my network are segregated away from that?
21:49
And finally, I think probably the key thing to think about is how most of these attacks start, which is very much the sort of space I'm passionate about right now, which is the human side of the risk. It's really interesting to look at enterprises and what they do is. They seem to spend about 90% of their security budget on technology and yet when you look at the statistics, about 90% of the threat comes from people who will click on links, who will open attachments, who will do silly things, send information to the wrong place. So actually there's a real imbalance there and normal large enterprises are still dealing with that themselves. So I think, as the agri-food industry starts to really get in and tackle cybersecurity, they need to think about this education and awareness to change the behavior of the people who are involved in the whole end-to-end process, because that's where many of those vulnerabilities and those issues will begin. But they can be cut off with some good education and training.
22:38 - Kristin (Host)
Absolutely, and I think this is why cybersecurity has to be included in food safety culture, because the more you tie it to the safety of the food, the more people will care about it and the more they'll be careful. I guess is what I'll say.
22:50 - Andrew Rose (UK) (Guest)
It's interesting to sort of have the analogy with air traffic, because in air traffic control I didn't care about confidentiality one jot, and we all talk about cybersecurity being the triad of confidentiality, integrity and availability. I didn't care about confidentiality If we lost our HR database. Sure that was a rough day, but hey, it could be so much worse. We had to focus entirely on integrity and availability of data so the air traffic controllers could do their job. And if that dot was on the screen menu, that was exactly where that dot was, and they'd rather have no dot than an incorrect dot. So integrity was vital and availability was vital, and I think those aspects actually are true with the agri-foods as well. The confidentiality is not that much of a big deal, but the integrity of the data to prove the provenance of their foodstuffs and the availability of their systems, processes and bring it through from farm to fore is really key for them. So they're not just a normal cybersecurity journey. It's slightly different. It's much more critical national infrastructure thinking. It's much more about safety level thinking.
23:46 - Kristin (Host)
I'm glad you said that because that's very true, especially even just in straight up manufacturing. It's availability. That's the king, if you will. That's so important. And I was thinking about since we were both at RSA recently. I was thinking about the marketing information I saw walking around.
24:01
I don't know if you happen to notice some of it as well I'm sure you couldn't not actually but there was one particular vendor who said something like we eliminate all operational technology risk and I was like, so you take the people out? Like that was my response in my head. And it was funny because I ran into another host of another podcast who interviewed me on the floor and I said it to him and he was like, wait what? And I was like, yeah, you got to take people away from it. If you keep people in there, you can't eliminate all risk. There's no way. And you just said that it's crazy to think that people think that you can do the X, y, z, da, da, da. But if you don't train your staff or they don't understand why it's important and where they should care, that leads to more problems and it's so frustrating.
24:38
Pipeline is a great example, but I was thinking of JBS. That also showed that you have to have important disaster recovery business continuity planning. You can't retract beef once it's hit the trailer. There's no food or pasture necessarily for them to go back to the farm and it might've been trucked pretty far depending on where they were coming from. Now you get stressed out meat that's defecating on itself and there's all these other additional food safety issues that are happening because of it. That was such a devastating situation that has such long-term effects. And God knows the payouts were rough. They were paying so much, not only for the ransom but the cleanup, if you will. And this is the problem is oh, it's not going to happen to us, but if it does, we'll be fine. How can you assure how is that assured Like I don't know? That's frustrating.
25:19 - Andrew Rose (UK) (Guest)
It is, and I think that chicken company I was talking about they actually went. They went through all of their processes and they worked it out that if they had no computers at all they could still do it. They went back to the paper process. How would we do this with no technology? How could we know what we were doing? And I think that's a very wise thing to do, wise thing to do. We've seen other organizations do that when they had ransomware. There was Norse Hydro, an aluminum or aluminum sorry smelting factory, and they again had to go back to manual processes because their computer systems wiped out by ransomware. So we do need to think all the way through how could we keep our services going when everything is gone? And certain industries really need to do that. I think agri-foods is one of them.
26:02 - Kristin (Host)
I completely agree.
26:03 - Andrew Rose (US) (Guest)
Andrew from the US, do you want to weigh in, since you're on the front lines of agro-tech? Indeed, Two years ago in Fargo we ran a tabletop around resiliency in a big part of the agri-supply chain. And, to Andrew's point, resiliency, not only in an organization but in an entire supply chain, is the critical piece, because you got competitors that if one goes down, it's either wolves on the carcass or everyone bands together and make sure that our citizens get fed and their livestock gets fed. We ran through the what if? What if the computers go down? What if there is an attack here? And, Andrew, to your point, paper was the way that things are going to move around. The issue was there was no more paper because everything had been transferred to digital and the people that knew how to use paper have either all retired or almost are retiring. So there was the human element of how do we move things, as well as the physical how do we record things as they're moving down the chain? Here we are going to meet in Fargo on June 11th and part of that conversation is two years later, where are we? You, part of that conversation is two years later, where are we? You know, have things been solved Is there more communication between competitors. We are bringing in the association heads as well. So it's not just the companies, it's the we won't call it oversight but the group that keeps them together, and I think sometimes it's better to have them say, hey, this entire sector needs to function the way it should.
27:13
And the other piece, Andrew, I'm going to talk about is the integrity of data. Andrew, I'm going to talk about the integrity of data. You mentioned that part there too. This is this is public Back when COVID hit and we were racing to get vaccines done, there was a cybersecurity incident with the calibration of the thermometers and much of the vaccine was lost because of that attack. And it was an integrity of data. It's the data readout good, but it wasn't, and it was, it was done in such a way, in such a minor way, that would have been missed. And that's just another issue that you know. Andrew. Going back to, the integrity of data is critical because otherwise you know if you're reading your screen or you're going to print a report, everything looks good and you can't figure out. You know why things aren't matching up or correlated.
27:51
And the last piece, too and this is what I'm really excited about is the social engineering piece of it. You know, again, we spend so much money on blue team, red team, pen testing and all this stuff which, yeah, you should patch your stuff. Things should be updated. There should be somebody watching over all your credentials. But social engineering, especially AI and naval social engineering, is, it's here. I mean, we were warning about it 18 months ago, but now it's here full force and we are not prepared. I mean, the tsunami came in and we were still sitting on the beach with our lawn chairs.
28:21 - Kristin (Host)
That's a really graphic description, wow, I think the thing that's really interesting about this is the it's such a distinctive difference between the enterprise side and the industrial farm, all the whole bit manufacturing, that people keep trying to twist it to be like enterprise. So when they talk about it in groups like especially and I'm sure you've run into this too where you're trying to explain what you've dealt with in your career and what you've seen on the industrial side to someone who's only been in enterprise there, they kind of look at you funny like but why would you do it that way? And my response back is a risk in your environment isn't necessarily a risk in my environment, and vice versa. It's the people that are always going to be the biggest risk, full stop, whether it's their safety or they're doing something or didn't mean to do something, or something happened. Most of the time it's the people that are causing the problem. I would say probably 98% of the time. Technology doesn't wake up one day and decide to give itself a virus. You know what I mean. That's not something that it does. If it starts doing that, then we're done. We don't think of problems. The days of it's become sentient. It's here. No, not yet.
29:22
What I think is frustrating from a cybersecurity point of view is I feel like I have to evangelize so much into the cybersecurity world to let them know that this is a problem, that agriculture and the food industry need help, and not because it needs help, but because it's the right thing to do too, because we all eat, you know we need to care, and the fact that it wasn't added to the 16 critical infrastructures or 15 at the time, until 2020 completely pisses me off. Like we've been eating and harvesting and doing this for the dawn of time and here we are not realizing that we need to care about it, because oil and gas go first, automotive goes first, you know, water is not even really a consideration at times. We have to rope that into the food industry because it's so prevalent in not only the production of food but creating food, and I'm actually at a place where I'm simmeringly angry at all times about it. Now we need to do something like. We need to keep talking about it. All I do is evangelize like hi, we need to care about cybersecurity and food.
30:17
The food teams get it. The food scientists, the quality people, the protection people they understand. The defense teams definitely get it because we can help them fight food fraud and obviously all the drug issues that are happening in the food industry. But it's just like why aren't cybersecurity people click? Where's the light bulb moment? Why aren't they understanding this? Is it because it's too hard? Because it's too? I don't know. Food is a very emotional thing, you know, because we have that connection to it. I just don't understand. That's where I get a little annoyed, and this is just me sharing a general annoyance.
30:46 - Andrew Rose (UK) (Guest)
I think on that one, I think a lot of the cybersecurity people out there most of them are very focused on that CIA triad and confidentiality is everything and integrity and availability is probably IT operations problem.
30:56
So they come at this from the wrong angle straight away. And I also had to retrain people who joined my team to sort of refocus them on the key things. So I think they come at it from the wrong place and I think there's a perception across society that agriculture is not technology-based. It's probably the one thing that's not technology. They see it as oh, there's loads of wheat in the field, okay, that's not going to get malware, it's not going to get ransomware, but actually it's all the process of the technology that puts the wheat in the field, brings the wheat out of the field and gets it to your store. Absolutely, that's technology-based. So I think there's just a perception that this is different, that this isn't at risk from those cybersecurity issues and with the lack of cybersecurity people focusing on the right aspects of it, I think that puts us into this really poor position, which is again why I got involved, because I perceive this is the most critical national infrastructure and yet it just gets so underserved in terms of commentary and governance and oversight and support generally.
31:49 - Kristin (Host)
Yeah, I know enough about the UK side in terms of the food industry and the agriculture side to know that it's a very regulation-driven. There's almost like a police for everything, which is I don't think it's really a bad thing because it's keeping you honest, right. But to the point where the farming let's be real, and I think Andrew might be able to weigh in on this too isn't exactly like a money making role. You can make some money in it, but you break, basically break even, or you pray to God, you break even by the time the season's over. It's so much stuff that they have to deal with the weather, which is constantly an issue, obviously. The soil, because it's being destroyed. Bugs, because bugs are a problem, and then human factors people being jerks around the fields doing other things and then now people are saying, oh, they get all these subsidiaries and all these things, but that doesn't necessarily help with what they need to deal with on the back end, and farmers are very concerned about their data, they're very concerned about where it's going. As the consumer becomes more educated, they're going to want more and more tracking, like what plant did this particular soybean come from? It might come down to that, and that's an incredible amount of pressure that's put onto the farm. That's more stuff that needs to be dealt with.
32:54
It's actually been stated in multiple reports that the food industry is a low-hanging fruit. The food industry just needs support and help from all of us. That's really what it needs and I hope that as people are listening to this, they start to ask questions critically. Even when you're watching a TV show like Clarkson's Farm, because there's quite a bit of tech on that he's got a tractor, he drives around with a joystick, something like that or when you watch a show about food factories or something like that, do you understand the food safety revocations of having that crew in there or what that looks like or how they produce? Do you have questions about? You know, follow the network cable. I want people to ask those critical questions and I have that come to me quite often. How do I get involved in food? How do I get involved in operational technology, security or ICS? How do I get into these things?
34:03 - Andrew Rose (US) (Guest)
no-transcript government for protection. Yet, absent water, you live three days. Absent food, you live for about three weeks. You know if your Internet goes down life's going to suck, but we got by in the 80s and it worked out right for us and I mentioned this at a high-level briefing. If we go five days without food, you're going to break a law. If your kid's hungry and three weeks without food, that's the end of the government. I know some other people have a slightly shorter timeline than that, but I think I'd give our government three weeks without food before everything falls off.
34:39
And back to the initial question that you asked, I think the real issue is that we generally as a species take our food for granted, that the availability, at least in the first world, maybe the second world, we just go to the store and get it. There's a complete disconnect of all the different pieces that it takes to get it from the farm to your plate and all the intermediary steps in there. And if you just take that for granted and you remove the foundational piece, there's going to be we're on demand. You know this is there's not like there's a warehouse full of bread that's going to be shipped if you're unable to produce more to go with that.
35:11
And then, and just from the existential risk you know we talked about bugs and other things that I mean the one that really took us by surprise was the solar flare knocking out all the GPS systems, all the John Deere tractors in Canada. Right before planting, you know, you get a short window for planting, you disrupt that and all of a sudden if you lose a crop, you can't plant it tomorrow and hope that it comes back in a day or two. It's, I mean, it's like trying to raise a teenager. It's going to take 18 years to get that person to an adulthood.
35:37 - Kristin (Host)
Speaking of that, will you explain why GPS is important to planning and because I think a lot of people are like, oh, who cares if GPS knocked out on trackers?
35:45 - Andrew Rose (US) (Guest)
You need to care by the way you do. Agronomy is so advanced right now that we are planting seeds at depths within millimeter, calibrations, spacings of the same. These plants are engineered to grow at a certain rate. Their leaves will shade out, the weeds, their spacing, everything is down to the nth degree. And that's not even taking into account the soil moisture, any kind of inputs that need to be done like that. But it's incredibly precise and if you think about all the money being poured into ag technology, it's all about that data. The more granular you can get on that data.
36:20
You did mention data, and data is a huge concern. Obviously, we're mutual friends with Pablo and I love Pablo's idea of creating an ag data lake that some sort of oversight will administer and can then take parts of that data, share it with somebody, but make sure the farmer gets some sort of reimbursement for that data, because there's so much that's being put on farmers these days I mean, forget about environmental regulations. I was at an event recently, a very large event, and someone made the suggestion that we should blame farmers if there's a cybersecurity attack on their farm. No, exactly, and I said. I stood on stage, I said no, stop, do not even go down that line of thinking. One question I do have for the two of you. So, kristen, what's the longest you've gone without food for?
37:08 - Kristin (Host)
Probably close to 48 hours due to travel Andrew.
37:13 - Andrew Rose (UK) (Guest)
Probably about 48 hours due to food poisoning. I just couldn't keep anything down.
37:20 - Kristin (Host)
That's awful.
37:22 - Andrew Rose (US) (Guest)
My record was five days and I did it as a dare because a friend of mine told me he did 10. And I thought that I could maybe do 10 too. I got to five days and it was so painful I mean physically painful it felt like there was somebody inside my stomach with razor blades just slashing at me night and day. It was. You couldn't sleep with that kind of pain.
37:42
And when you hear this term the gnawing hunger from Appalachia, that's what it felt like. It felt like someone was trying to, something was trying to eat me from the inside out. And if you've got that, that disconcerting feeling after four or five days, you're desperate. You're going to do a whole lot of things. So you know, if anything comes out of this, I do hope cybersecurity community and regulatory community understands how important food is to us as a species. And if we're not learning lessons from the war in Ukraine, russia is going to take out electricity in the winter, so you freeze to death, and you take out the food in the summer, so you starve to death. If we're not thinking that we're moving into wartime footing and agriculture is not in the crosshairs, shame on us, because I guarantee your adversaries are well underway to whatever planning there is out there. So hopefully this podcast will put a few red flags in the poll as well.
38:29 - Kristin (Host)
Well, let's talk about that just a teeny bit. So, and I'm not going to get into the politics, so don't think that that's what this is going to be. We're just talking about the outcomes. The Ukraine is a breadbasket for growing right and now that they can't as much as they need to, for even supporting their own country, but they also support out to Europe. That's putting pressure on to other areas that are flour places in the world, Because we've already got food insecurity all over the place anyways, and people who are starving because of various other reasons global climate change, various other things, other wars. How is this going to affect, in your opinion, the global food economy, if you will?
39:17 - Andrew Rose (US) (Guest)
Well, I've got my opinions, I'll jump in here. So, first of all, if we take a look at the entire globe, who produces more than they consume? Which countries are those? And typically you're looking at the US, australia and Brazil and when the world is going into a food insecurity situation, the first thing you're going to do is take care of your own population. I mean, that's just normal. If there is excess, we want to take care of our allies as well. Here in the US, we certainly have a geographic advantage of having moats to our east and west and friendlies north and south, and if you look at where most of our food goes, it's keeping the people to our north and south very happy. As food insecurity roils the planet, there are going to be populations that are going to not stay within their borders and there's going to be governments that will begin to topple. In order for us to keep our friends and different continents happy, if we can export some of that excess produce or excess production to them, that will help placate their populations and provide a soft power diplomacy. I'm trying to get too political on this one here, but what does it mean? It's going to mean well, there's 8 billion people on the planet today. Today there's not enough food to feed all 8 billion people and that's just a given using traditional, conventional methods of production. If you look at a country like Sri Lanka, they went and politically made a statement that they will no longer have anything other than organic, non-gmo production and within was less than a year they went from an upper middle class country by definition every person in the country was upper middle class to having the politicians swinging from lampposts. Everyone starved. Now the country's in receivership Just because of a political dictate. And if you look at what Europe is doing with a lot of their standards too, they're removing the ability for them to feed their own populations. They're going to become dependent upon other people for food. No-transcript be terrifying With the Ukraine situation.
41:37
They were very fortunate to get a grain corridor put up in the Black Sea. As you can see, they've been spending a lot of time on their aquatic drones and making sure that's secure so they're able to get grain out more than we thought. The issue was when they were doing it over land through Poland and the rest of Europe. All that cluttered grain then drove prices down, so there was some reluctance to accept that grain coming across the borders, we'll see. It's not necessarily the food, it's the inputs, it's the fertilizers. And where are the precursors of those fertilizers coming from? The majority are from Ukraine or Russia or China. So the next 18 months will be a little bit bumpy.
42:18 - Kristin (Host)
I'll leave it at that before I get too dystopian. No, it's okay, and I think it's especially important to talk about this in some capacity because we are a global food supply. So I think what happens in one area affects the other, even though the US is somewhat insulated and we have our own issues. Even the UK, to a degree, is somewhat insulated, but we still have issues on the borders on the outside that are going to put pressure on our interior farmers and since we've already got issues with environmental factors that are causing it's been so hot in the UK the last two years, two or three years during season that their yields aren't as high and they're driving costs all over the place, like you just described. So here in the US we have some of the similar problems and I don't think people realize how much of a trigger we're on with some of this.
42:59
Every bite of food that we take is a privilege. I always remind myself of that because I understand what it's like to have that moment where the food is in front of you is all you're going to get and this is what you have to deal with and if you want to, if you cannot waste it, it will go in the refrigerator and be leftovers for some other amazing meal the next day, and I think of that often, especially within the food system that we're working in, and it's scary, but it's not to the point where we can reverse some of this right. We can still work through this. Like you said, we're primates, we're just trying to figure it out right, and as someone who studied primates gorillas specifically I definitely feel that on a whole other level, the basic needs will be met no matter what happens. Hopefully it's just not in chaos.
43:37 - Andrew Rose (US) (Guest)
One thing I do want to add to that in terms of the heat and the environment and what's going on.
43:41
There are some really interesting advances in genetics, both for proteins as well as for plants, and we've I think it's probably common, we've developed a short-statured corn which has a thicker stalk, same ear yield, but resists a lot of those wind storms that come across the Iowa and Illinois and Indiana and Illinois came out with a strain of corn I believe it was about two years ago that requires 25% less water, because now there's an abundance of carbon dioxide in the air that it can absorb and it doesn't need all that water.
44:08
But it hasn't evolved fast enough to reduce its water uptake. So through engineering we're able to assist it in that function. And I'm sure you've heard about the slick gene that we've got in the beef cows. So now we can have beef cows existing on a planet with an ambient temperature of 120 degrees, and I've heard rumors that dairy is not far behind on that one. So the piece there is making sure that we got soy and other crops that can then feed the livestock that can exist on that planet as well. So again going back to science, because we're not going to be able to selectively breed ourselves out of the way of climate change. It's just not going to happen.
44:38 - Kristin (Host)
Yeah, we just have to work with it. I guess is the best way to do it and adjust to it, rather than oh, it's the end of the world, it's not, we just have to make adjustments. That may be a little bit uncomfortable. Swinging it back into cybersecurity and this is what I love about doing this show is because we kind of expand our knowledge set a lot more. When we talk as a cybersecurity expert and I think both of you agree the more you're informed about the things around the systems that you protect and the different type of people you protect, the better you can be at protecting them. Because if you don't have that knowledge, then what are you doing? Andrew, I'm sure when you went and worked with the air traffic control I mean at the time were you an air traffic control specialist or was that something you learned on the job?
45:15 - Andrew Rose (UK) (Guest)
I absolutely learned it on the job. So I came from the legal sector, which was entirely different, entirely Couldn't be more different and then I was an analyst for five years. So this opportunity just came along and it's the sort of thing you just can't say no to because it's a security world. That means something. Working in the legal sector is fine. You're keeping one very rich company rich and helping them make a merger and acquisition to make them a little bit richer the next day, and that's fine. But it doesn't really mean anything. But air traffic control and those critical infrastructure things really does make a difference to you. Keeping people safe. It's all about safety and so for air traffic control I had to learn that on the job. It was very much about sort of transferring my knowledge into the operational technology environment, creating a culture within those operational technology engineers to make sure that they understood the cybersecurity applied to them in their context, and then started to wrap controls around all of those pieces to make sure that we could be safe.
46:10
It's interesting Andrew talked about anarchy and how long it takes. With air traffic control we didn't worry about that too much, but certainly when I was at MasterCard we were doing all these interbank transfers, and we knew that it wouldn't be long if those systems failed. If you couldn't go and buy food for your children, how long would it be before you were smashing down the windows and just taking the food 48 hours, something like that? And so we knew that we were running systems which were critical and had a really short time base before we created anarchy on the streets of our society. So it is something that people can build up a knowledge of, certainly, but it's not a natural thing. This OT security piece is still pretty rare. We talked about it at RSA and there's not that many people around with this disability or this way to think through these situations from that angle.
46:53 - Kristin (Host)
No, we're definitely a very rare, small, niche-y breed of people and we're very proud of it. Actually, we get us in a room and we all completely geek out together. We really are a community, which I appreciate, and not just on the US side, it's global. We talk to everybody. We're trying to educate more and more. I mean, I've double niched myself between OT and the food industry, so like I'm kind of like a party one. You know a lot, which is OK, and you know what. I'm hopeful that people will join the party, because we do have a lot of fun over here and for food and ag, as we're wrapping up this conversation, because, wow, I feel like I've learned a lot, which I really appreciate greatly. Is there anything that you want to discuss about some of the future trends that are coming up, the things that are going to? We need to keep on our radar, not only as cybersecurity professionals, but any of the food people that are listening and beyond.
47:40 - Andrew Rose (US) (Guest)
All right. Well, that's that's. That's a bone with a lot of meat on it, so I'm going to pause here and think. One thing I do want to mention too, for anyone who's listening, who is in the agriculture sector if something happens, please report it. There is an easy website called ic3.gov. You can report anonymously. The government will use that information to both triage and identify trends and it'll be a multi-agency response.
48:06
If you file something and it's a low dollar amount, obviously the federal government has budgets. They need to justify the expense of going after something. But if you report it and someone else reports it and a third person reports it, all of a sudden the aggregated amount gets to a level where they can respond. So please report to ic3.gov. Report on behalf of your friends yourself, anonymously. Again, the FBI is there to catch criminals. They're not there to victim shame. If you call the FBI in, they're going to get in and out as quickly as possible with full permission from you to access whatever it is they need, and then they're going to go catch the criminal, but they're not going to fix your systems. So I did talk to a large pork producer who was upset the FBI didn't fix his computers. I said that's not their job and he was. I couldn't placate him, but I at least stated that as a whole.
48:49 - Kristin (Host)
Based on the FBI right. I've sat in some food defense meetings talking with the FBI and they always keep saying get to know your field office.
48:57 - Andrew Rose (US) (Guest)
Make a friend before you need it. Yeah, make a friend before you need a friend. That's usually my first bulleted point, but in the ag community there is a little bit of trepidation about the FBI. There are certain sympathies for what happened on January 6th and the FBI will be the first to tell you. Everyone in this country has a First Amendment right to wave a flag, to have a bullhorn, to ring a cowbell. But once you take an action, that's when risk and consequence occurs. So sympathies are fine, you know, and they're not there to judge you on anything like that. They're there to catch criminals. That's what they do and they're really good at it. They have a long memory and they have a long reach to do so. So don't be afraid to report if something happens.
49:34 - Andrew Rose (UK) (Guest)
Global threats, the nation-state threats against critical national infrastructure are escalating. We're seeing nation-states looking to impact the economies of their competitors and their enemies, as it were, and this is being done in a multifaceted way, whether it's political intervention using disinformation, whether it's attacks on systems and capabilities just to undermine the trust in that society and create division. But I think, as Andrew mentioned, the food, agriculture, environment is vulnerable to this and could be such a force multiplier. So we can expect really competent cyber attackers to start looking at this space, and that worries me because obviously the new technologies are coming out right now and we've all talked about AI and all those sorts of things in every other conversation we ever have. But those things are going to enable the attackers to amplify their capabilities and we'll start to see hyper-personalized attacks coming in. So to date that's always been talked about spear phishing figures out that Kirsten likes skiing and so we're going to invite her to the local skiing club or whatever it is, but that takes time for an attacker to do so. It's relatively rare. But actually with AI, hyper-personalization delivered with grammatical perfection, with a really compelling law and a compelling push linking back to new stories that you're interested in, because they know what new stories you follow that's on the verge of coming out, and then that could be supported by a deepfake video which is your partner or your boss or someone like saying you must do this, you must click on this link. So we're going to see all those new technologies being utilised in the next wave or two of cyber attacks being utilised by these very competent nation states disrupt our societies and again, agriculture is right in the middle of this.
51:25
So I'm worried about where that goes, and I think the thing we need to do is we need to start raising awareness of the capabilities first, because if people understand what a deep fake is, they understand what AI can do. Then they're much better protected about it. They're more inoculated to the possibility because they go oh, I've heard about this. This could be really weird, couldn't it? It doesn't look quite right. So we need to educate, definitely, but we also need to start building those controls in, because Andrew and I have done a podcast together before, or a webinar, I think it was, and there was lots of discussion about all of the innovation that's going on in the agri-foods environment, all of these startups coming with brilliant ideas for improving our capabilities, and that's awesome, love it. But I'm really concerned that those guys are doing this with not enough of a focus on cybersecurity.
52:09
Very early on in sort of the physical security phase, when suddenly everyone realized that you could actually connect your iPhone to your front door and you could actually open your front door with an iPhone and you could sort of have a doorbell that pushes that. All those products, the first wave of those products, came out no security embedded, because it just wasn't seen. They just wanted to create functionality. That was key First to market with functionality, all they wanted.
52:30
And I'm concerned that perhaps that happens again in this industry and that would be a devastating mistake because if those are adopted and put into systems, put into processes where we know critical national infrastructure has a problem with legacy tech, you buy it once and you keep it for 20, 30 years and you don't change it. If they're going to embrace these new technologies and put it on their farms, it's going to be there for a while and if that's not capable of being secured properly, then we're building huge problems for a long period of time here. So there's a lot that concerns me, which is why I think it's great that we have this podcast and other conversations to try and raise awareness. So those startup companies can perhaps think twice when they're creating this great new function and think well, perhaps I should build security and perhaps that will enable us to be better in the future. Absolutely.
53:13 - Kristin (Host)
I think also, having agro-tech in general be built with security in mind as well is really super important. So, any product security people that are on here, hello, can you do that for us? That'd be great, because it would just get that little bit more of a okay, we're somewhat protected, but now we just have to do everything else around it. That would be a lot more assuring, I'm sure, to a farmer than just going down to the local farm store and buying a drone that doesn't necessarily connect to everything. It could cause a problem or something like that as a bad example, but I really think that we need to have better product security inside of the farm tech.
53:45 - Andrew Rose (UK) (Guest)
We absolutely do, and there's one sort of incentive to this, because there was a product that was released into aviation and aviation is very picky about products but this was released into aviation and it was put into pretty much every jet and every airliner, but it wasn't really built with security in mind and so it can do its little function, its little dumb function, and that's all it does.
54:03
The problem is, if they built security into that from the off, then that would have had so much more potential for growth. They could have got that little system to grow and do more functions and bring more functionality and more operation capability to the cockpit. If only they built security in from day one, but they never did, and so now it's hamstrung entirely to only do a little dumb job. So think, if you're a product developer and you're in this space, think very much about if I want to create the length of delivery, to create a value chain that can get longer and longer with my product, then I need this to be secure. It needs to talk in a secure way. It needs to authenticate correctly using zero trust principles. It needs to be able to be scalable. All of these other security things need to be built in, and if you do that, then you have a product which you can maintain and build upon for years, and that's where your company will grow.
54:51 - Kristin (Host)
That's great advice too, as we're wrapping up for our final here. Any last words before we go to the listeners.
54:56 - Andrew Rose (US) (Guest)
I do want to give an amen to that. I've been preaching the secure by design principles to robotics and ag tech companies, and it's not a resistance, it's an. Oh, didn't think about that. So it's not a, it's worse. Well, I mean, they're concerned with interoperability, exchanging information, flow of data. So security is obviously an afterthought, if it's thought at all, but by putting that in the top five on their list, now it's there. I'm also coming from the investor standpoint. So an investor is not going to want to put money into a company that's going to have a lifetime of patches and upgrades required because they weren't thinking about security on the front end. That's just going to degrade their investment dollars too. So there is no pushback from that, it's just a lack of awareness, which is the first step in anything.
55:38
Another piece that I I mean this is more of a global piece, but as a species, we rarely will fix something until it's been broken. So we didn't even understand how significant this was until the JBS attack. So, Andrew, I'm just hoping that somebody someday will come back to this podcast and say, oh, all those things Andrew said, yeah, we're going to implement them. Now that something has occurred, you know, rather than getting ahead of the attack. So I'm not I mean, I don't be overly cynical, but it but it appears that's typically the way that we operate. The thing that we haven't talked about here and, chris, maybe you'll cover this in another podcast was the Microsoft hack Of all the executives, and there's a lot of speculation that the source code is gone and that the Russians now know every zero-day vulnerability before Microsoft does. And I don't know if you've been watching your Microsoft updates lately, but every day now there's another patch coming in. And again Microsoft. I'm just speculating. No one's admitted anything yet, but I have a high suspicion that some of that could have been compromised.
56:30
And then, going back to the secure by design is a liability piece. Let's say that there is that one little thing that everyone's using that isn't secured. What happens if that's a conduit from a tax? Then who is going to hold the liability? Is it the end user? Is it the farmer or the agribusiness? Is it the manufacturer? Who knows? Are they still in business?
56:48
There's a lot more questions there than there are answers and, as I mentioned before, we need to understand we're in pre-war footing here. Our enemies are already pre-positioned into our critical infrastructure. If we're not aware of that. If we're not mitigating and responding to that, shame on us.
57:03
And with the and again, this is Andrew just speculating out there but the number of onslaught of attacks and the increasing velocity of these attacks, we still are playing the nice guy. You know we're still putting the fires out, fixing things and whatever offense we're taking is shrouded in opaque for certain reasons. Yeah, but we're going to reach a day when this crescendo is so great that we're just going to take the gloves off and start hitting back, and you know I'm kind of looking forward to that. I mean just they. You know they said that a cyber attack could be constitute an act of war and I know that's been said but I haven't seen it acted on yet. But it breaks my heart because I, for every ag hack that you see, there's probably another 90 that I hear about that aren't seen. And it breaks my heart what's going on right now and I really would love to punch back a little bit.
57:48 - Kristin (Host)
I really wish that people would share you know more. And this is why I always say that cybersecurity, in a lot of ways, is about mitigating shame. It's not just about risk, it's shame Because people feel a sense of shame when they get hacked. They feel a sense of shame when they haven't done enough or they have to report it. They have to, you know, suck in, oh I did something wrong. I don't think people realize how much we don't look at it like that. We're like okay, what happened, All facts, Okay, good, Now let's deal with it. Or this is the things we could do to prevent that feeling in the first place. And I really wish that people would deal with the shame up front and know that they just have to deal with everything that's going on to avoid the icky oh God, we might have killed somebody because we poisoned our food or something else really bad happened, or people just died.
58:29 - Andrew Rose (US) (Guest)
And I, or Kristen, I mean the easy answer. There. At least, the normal reaction is let's just fire the CISO, you know.
58:35 - Kristin (Host)
Yeah, let's not, let's. We need to stop that too, because that's you know, scapegoating isn't going to help in the long run, Just makes your company look like a bunch of jerks. That's frustrating. And then here we go back to the simple aspects of farming. Again, they now have to worry about cybersecurity. It's kind of a bunch of crap, right, because this is frustrating. They just want to grow plants like this is what their family's been doing forever, or whatever They've chosen the career to do it. And now here we are overloading them. So the idea is to make it easier for them instead of fighting with it.
59:05
Yes, you have to report when things happen. Yes, you need to reach out to your peers. Yes, you need to talk to people. You all talk to each other anyways. Keep talking to each other. You know.
59:12
We need to know what's going on and we really have to stop this silo thing that we have in cybersecurity and beyond of we don't talk to each other. I hate that. This is what makes us insecure. We have to communicate things that are going on and not because, oh, a shame legal, oh, I can't talk about it. You could talk about it and just not talk about it. You know what I mean. There's a way. We're all really good at it. We're all really good about not talking about companies, but, yes, something happened and we need to share the steps that were taken, instead of the after effect of crisis teams and all of a sudden recovery, and we're going to be resilient through this. If some kind of major incident happened at a small farming company or a midsize farm company, it would take them out financially, because nobody has 10 million in the bank, necessarily, right?
59:56 - Andrew Rose (US) (Guest)
So, Kristen, are you setting up the next podcast? Because we ran a field exercise recently in Pennsylvania. That is pretty much word for word what you described. There were two identical companies agribusinesses. They both got hit almost on the same day. The same ransomware, same actors. One paid ransom, one didn't. And we were able to do, 18 months later, postmortem on what that was. And it is amazing, we haven't released a white paper yet, but that was part of the volunteer work I do for the Bio-ISAC.
01:00:23 - Kristin (Host)
But when that white paper releases. Will you please let us know, Because I know I would definitely like to read it. I'm sure Andrew would read it as well.
01:00:29 - Andrew Rose (US) (Guest)
Well, it echoes what you said the CEO. They didn't even think that this was anything other than why us? It was emotional, it was tears, it was employee tears. So they felt personally attacked. They didn't even think about law enforcement or anything. They just wanted to get their, get everything cleaned up and get their systems online. It was a significant financial hit, a significant time hit, and they are a major player in the country for the sector they serve, as was their competitor. So, yeah, affirmation to what you just said.
01:00:58 - Kristin (Host)
Wow, yeah, so good. I'm excited for that white paper and I'm terribly sorry that that happened to them, because we do feel that, like we don't want this to happen to people. Some people think that we're you know, we're ambulance chasers. We're not, and everything that's happening is happening because we've all said it over the last couple of decades we needed to prepare for this. We haven't. So these are the consequences and I want to just make sure that we have safe food for everybody in supply chain.
01:01:22
Thank you both for being here. This has been a great conversation. I have adored it. I will have all the ways to contact both Andrews in the show notes. Probably some of the other fun things, like secret pizza and Scott's pizza tour will probably be in there as well, because we're all ultimately foodies at the end of the day, and I will make sure I put some of the reporting things that Andrew had mentioned, such as IC3 and things like that. So thank you both for being here. Really definitely appreciate it. We're going to have to do this again, obviously, because clearly we ran out of time we have to find the other, Andrew Rose oh.
01:01:52 - Andrew Rose (US) (Guest)
I know where he is. It's just a matter of getting him on here. He's defense, so he's often kind of reticent about talking in public.
01:01:59 - Kristin (Host)
We'll have to wait till he gets declassified or something, and then we can have him on Pretty much Anyways.