How secure is your food: Cybersecurity threats and careers | Guest Jonathan Braley

[00:00:00] Chris Sienko: Today on Cyber Work, Jonathan Braley joins us from the Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC to its friends) to talk about the security challenges being faced by the food, farming, and food production sectors. 

[00:00:12] Jonathan Braley: we're tracking, up to 250 different adversaries. Nation state groups, cyber criminal groups, hacktivist groups, and we've built out these kind of historical playbooks. 

[00:00:23] Chris Sienko: Now, food and ag feature a lot of physical systems that are more explicitly connected online which means more opportunities for attacks that could have global implications to the food supply. 

[00:00:32] Jonathan Braley: We, outsource a lot of food, globally, it's not just the U S that's going to feel impacts from cyber events, it's going to be a whole world problem.

[00:00:40] Chris Sienko: Let Jonathan give you the inside scoop on what you need to work in food and ag security.

[00:00:45] Jonathan Braley: if you had any. Background or knowledge and protecting, operational technology, ICS,

I think that would be a huge plus.

[00:00:52] Chris Sienko: That's today on cyber work. 

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

Now let's get the show started

 

[00:01:48] Chris Sienko: Welcome to this week's episode of the cyber work podcast. My guests are a cross section of cyber security industry thought leaders and our goal is to help you learn about cyber security trends. And how those trends affect the work of InfoSec professionals, while giving you some tips and advice for breaking in or moving up the ladder in the cybersecurity industry.

My guest today, Jonathan Braley, is the Director of the Food and Ag ISAC. The ISAC provides threat intelligence, analyst analysis, and effective security practices To help food and agriculture companies detect attacks, respond to incidents, and better protect themselves. Jonathan and his team produce curated threat analyses for the sector and represent the organization to policy makers and industry stakeholders.

In addition to this, he also serves as the Director of Threat Intelligence. For the information technology information sharing and analysis center or it isaac Where he acts as the technical and analytic lead for a team supporting the world's leading technology companies So those those who have uh been with uh cyber work for a while know that we've been doing some Um, cybersecurity by industry episodes, including several on industrial control systems, manufacturing infrastructure.

Uh, so when I heard about Jonathan and his involvement with, um, food and agriculture security, I knew we absolutely had to, uh, have him on the show. So I'm looking forward to this discussion. Thanks for joining me today, Jonathan. Oh, cyborg. Uh, so to give our listeners a better chance to learn about you and your origins, what was your initial interest in computers and tech?

Because I know you started out studying biology, but what was the thing that got you first interested in making the switch to security?

[00:03:22] Jonathan Braley: Yeah. Uh, it's a great question. Um, so I, I went to James Madison university. Um, really when I got to college, probably like a lot of people, I just really didn't know what I wanted to do.

[00:03:33] Chris Sienko: Mm hmm. Mm

[00:03:34] Jonathan Braley: premed. I moved to kinesiology at one point. Uh, eventually realizing that, you know, I always had this passion for computing and an interest in computers. Um, so later I kind of switched, did a 180 and, uh, started doing that and said, and I think part of that passion comes from, um, I grew up in the early nineties. My mom worked for my uncle, um, he had an IT services company. So I spent a lot of hours at that office,

[00:04:00] Chris Sienko: hmm.

[00:04:01] Jonathan Braley: often on at it for the time, pretty sophisticated computers.

[00:04:04] Chris Sienko: Yeah.

[00:04:05] Jonathan Braley: uh, I remember being one of the first kids in my neighborhood to actually have a home computer. Um, just because of my uncle was able to get us one. So, um, yeah, I don't really know where biology came from. I did grow up, uh, in North Carolina. I had a big connection to the water and the outdoors and, um, kind of went into college thinking that would be the route to go and then realize you should just follow what you're interested in.

[00:04:27] Chris Sienko: Yeah.

[00:04:28] Jonathan Braley: that's what I ended up doing.

[00:04:28] Chris Sienko: Yeah, I think that's that's you know, that's a pretty common refrain is that you you hit college and you instantly sort of give up the things you're interested in favor of the things you think you should be interested in or That'll help you make your way in the world. And and yeah, it rarely Rarely lines up.

Unfortunately, like your your real nature will come out and uh and remind you of what what you need. So that's good Uh, so looking through some of your your past positions. Um, I want to ask you about some of them you spent some time at at valley apps as a You G suite deployment specialist, uh, before joining the information technology information, uh, sharing and analysis center or ITISAC, uh, as a director of threat intelligence in 2017.

So that was around the time that you got your bachelor's degree in information technology, uh, data network security. So can you talk about how this career pivot happened and what you needed to learn to do in terms of hands on activities and how that sort of translated to the, uh, ITISAC role?

[00:05:23] Jonathan Braley: I was, um, very fortunate to get that opportunity at Valley apps. Uh, I actually did a lot of the work there while I was in school.

[00:05:31] Chris Sienko: Mm hmm.

[00:05:32] Jonathan Braley: so kind of getting that, that work life balance was a little bit difficult, but started out doing search engine optimization for their, uh, previous, so Valley apps had a business where they actually were primarily a web design company. Mm hmm. I had taught myself HTML, CSS, and I was doing a lot of work updating, um, clients websites, but also kind of the metadata so that they would rank higher in search engines. And then, um, Valley Apps became one of the early companies to actually partner with Google through a partnership program they have. And, um, the whole company, we got certified and trained to actually migrate and deploy businesses from, um, You know, some of the more archaic email systems to Google's business email platform. that's where I really started to understand the cybersecurity challenges that, that kind of small and medium sized businesses were facing.

Many of the clients we had were, you know, on these email systems, there was no security, no MFA. They didn't have, um, backups for their file systems. It was kind of a wild West. They just picked a free service and we're using that.

[00:06:38] Chris Sienko: Mm hmm.

[00:06:38] Jonathan Braley: then later realized that they should probably upgrade to, you know, domain based email or something a little bit more security.

[00:06:44] Chris Sienko: Right.

[00:06:45] Jonathan Braley: at the same time, this was when HIPAA compliance was rolling out. So a lot of the

[00:06:49] Chris Sienko: Oh yeah. Hmm.

[00:06:52] Jonathan Braley: to Microsoft and Google's platforms because they were meeting some of those new regulations that were there. um, that's when I really started to understand the cyber side of things, um, ended up being the main deployment specialist for Valley apps.

My job turned from migrating and deploying to also educating some of our customers on, you know, what they should and should not be doing. Uh, to protect their networks and email systems. And then I also got a whole bunch of skills in communication, project management, um, started to learn networking, email systems, DNS ports, things like that, but it, uh, it was a great opportunity for me.

Um, that really gave me a lot of confidence, um, a cybersecurity perspective, but I think I also gained a lot of tangible skills that have, uh, kind of followed me into this, this role with ITISAC,

[00:07:38] Chris Sienko: You were talking about some of your clients and how, you know, it was kind of the wild west and they would You know, pick a free service and go with it. And there would not be a whole lot of security measures in place. Now, when you say that they didn't use MFA and they didn't do these other measures, were those things available to them and they just didn't know to use them or was it, I mean, cause it really was at that point, like there, there wasn't a lot other than your regular, regular, regular old passwords and stuff like that, it seems like, but like, what was the, what was the sort of disconnect there?

Was it

educational? you kind of nailed it. This was, you know, 2011, I think through 2017, um, I was there and, you know, we hadn't seen ransomware yet. There definitely were phishing attacks. People were getting their emails stolen. There was business email compromise, which we saw quite a bit of, but I think, um, MFA wasn't, wasn't fully adopted.

[00:08:27] Jonathan Braley: There's a lot of email systems that didn't have it. Like you said, it was

[00:08:30] Chris Sienko: Yeah. Yeah.

[00:08:31] Jonathan Braley: and passwords. And, um, you know, nowadays it's, it's rare that we see a product that doesn't offer it

[00:08:37] Chris Sienko: It's almost standard operating at this point, yeah.

[00:08:39] Jonathan Braley: an essential thing to have, um, if you really want to protect systems.

[00:08:43] Chris Sienko: Yeah, no, absolutely. Uh, that's interesting because, yeah, that's something we take for granted now, but uh, you know, at that point there was a lot of, you know, I guess maybe partially people didn't really know the scope of the threat, but also just didn't want to think about it because they couldn't really imagine it.

[00:09:00] Jonathan Braley: is, you know, I'm, I'm migrating these email systems and part of that was usually having to get the usernames and passwords. So I really got to see some of the interesting passwords that people were using,

[00:09:09] Chris Sienko: Oh god, yeah, yeah, yeah. A lot of, a lot of names of pets and stuff, I imagine, and names of children.

Password. Yeah. Yeah. One, two, three, four. Yeah. Break out in a cold sweat just thinking about those days. Uh, so, um, in addition to ITISAC, which we talked a little bit there. So for the past year and a half, you've also been the director of the Food and Egg ISAC, which is, uh, Information Sharing and Analysis Center.

Um, it's similar to the IT one, but for the Food and Agriculture Center, which is the thing I really want to talk to you about today. So. Uh, what exactly is the Food and Ag ISAC? Is it a government agency? Is it a independent organization? What are, what are your primary responsibilities?

[00:09:49] Jonathan Braley: Yeah, good question. So, um, the Food and Ag ISAC is not a government agency. We're actually a nonprofit organization. We're run by our board of directors who are also members of the ISAC themselves.

[00:10:00] Chris Sienko: Mm hmm.

[00:10:02] Jonathan Braley: our membership is actually restricted to private sector companies.

[00:10:06] Chris Sienko: Mm

[00:10:06] Jonathan Braley: that being said, we have a really good relationship with CISA, FBI, USDA. um, we're still collaborating with them, but they don't have, you know, direct access to our members. Conversations that are happening. Um, so a little bit of background about ISACs or information sharing and analysis centers, which I was very impressed. You nailed that whole long

[00:10:25] Chris Sienko: hmm.

[00:10:26] Jonathan Braley: of it ISAC on the first shot.

[00:10:28] Chris Sienko: Yeah.

Awesome. they were, established to support, uh, us critical sectors. They were mostly developed in the early two thousands. Many of them are up of private sector companies. There are a few that have some direct government involvement. But, uh, essentially there's almost an ISAC for every U. S.

[00:10:47] Jonathan Braley: critical sector, so information technology, electricity, health, transportation, financial services, uh, most of them have an ISAC involved.

[00:10:56] Chris Sienko: Hmm. Mm

[00:10:57] Jonathan Braley: have also heard of ISOWS. are very similar to ISACs, but they typically support more niche communities and not the bride, the broader, um, critical sectors.

So, you know, like a sports ISAL or something that doesn't really have a critical sector representing it. There's plenty of ISALs to support those as well. So, um, background on the food and ag sector, they never had a formal ISAC. So. the early 2000s, the ITISAC started to receive membership applications from food and agriculture companies, um, which at the time we thought was strange.

And then we realized that there wasn't a food and ag ISAC, uh, that they could go to. And we realized that some of these larger food companies, and medium and small, but they had the same IT challenges that our IT companies were facing, right? So it made sense for us to bring them in. As a number of agriculture companies grew in our membership, we actually formed a food and ag special interest group or SIG,

[00:11:57] Chris Sienko: hmm.

[00:11:58] Jonathan Braley: was part of the ITI sack, I think since, you know, late 2000, 2008, somewhere there. And we ran that all, all the way up until the formal food and ag ISAC was, uh, established. So we've been supporting the food and ag companies for a while. We've been kind of their ISAC. Um, I think some attacks against the sector over the past few years raised awareness that there was. Not a formal ISAC for the sector. So kind of hearing that feedback, hearing discussions kind of, uh, around the, the, the landscape, we decided to rebrand the SIG into that official, um, food and agriculture ISAC. So one of the things that's, that's great about the rebrand is the food NAG ISAC still currently sits under that IT ISAC umbrella.

So for a member to join the food NAG ISAC, basically join the IT ISAC. And if they're a food company, they just get pushed straight into that. Um, and what, what the benefit of that is those trusted relationships that they built with those I. T. companies over the years, they can still have those. And then the other thing was, we were able to get the food nag isaac operational immediately.

We already had the sharing procedures in place, the functions, um, you know, the, the nonprofit identity. So it was very easy for us to just basically rebrand that sig, but now we're, we're doing a lot more stuff for it, for that group as well. Okay.

[00:13:19] Chris Sienko: Okay. Um, I guess I want to pull back one one layer from there. Um, uh, with regards to the idea of an information sharing and analysis center. Um, what are like, give me some like concrete examples of the type of information that you're analyzing and sharing, you know, whether it's in food and ag or it or infrastructure.

Like what is what are the commonalities of? What these types of, um, organizations actually do for their, their, their client base. Great.

[00:13:56] Jonathan Braley: right? So they can share relevant, actionable cyber threat information. So if one company sees something, they distribute it to an ISAC, the ISAC lets all the other members know that that has happened. Um, we don't just stop there though. I have an operations team. So we're also trying to proactively help, um, with some of the analysis work. Um, But essentially what we've done is we've, we've created a forum for companies to share what they're seeing. They can ask questions. My team will then, uh, kind of supplement that sharing with some of our own curated intelligence.

So we have a daily report. We're looking at critical vulnerabilities, patches. We're putting indicators of compromise that relate to it sector attacks, food and agriculture attacks. Um, we're doing kind of an analytical summary of the major happenings throughout the cyber landscape across. You know, the specific sectors, but more generally, then we're doing, um, a lot of other things too.

We have a very robust ransomware tracker. So we've been looking at ransomware attacks going back to 2020. I think we're around 6, 500 events, um, as of yesterday. And we're tracking ransomware attacks across all critical sectors. So we're looking for trends. What are the top groups, um, of the groups that are attacking ransomware? You know, what's the percentage breakdown for the it sector or the food and ag sector. And what's great about that is now that we have this data, we can look for trends. If there was suddenly a spike in attacks against food and agriculture companies, we could look at our list. We could look at, um, the groups that are doing the attacks.

We could try to figure out, is there a common product or service that has a vulnerability that's maybe widely used by food and agriculture companies? So that's been a really big benefit for the communities is kind of doing that tracking and analysis on ransomware. And then, uh, another thing that's Possibly unique to us is we have a collaborative adversary playbook environment. we're tracking, um, I think we're up to 250 different adversaries. So these are nation state groups, cyber criminal groups, hacktivist groups, and we've built out these kind of historical playbooks. You know, um, what are the tools these groups are known to use? Uh, what vulnerabilities have they impacted in the past? use MITRE TAX framework to try to tag the actual tactics and techniques these groups are doing. What's great about it is it's collaborative in the sense that our members can also add to these playbooks. So we kind of have that force multiplier effect to track. I think one thing we realized is we have hundreds of members and they're all spending the same amount of time looking at the same adversaries.

So we wanted to kind of find a way for them to start sharing with one another. But other than that, you know, we're, we're always trying to help any way we can. So we get feedback from members. We're always looking to improve our analytics and, um, it's been a, been a very good environment so far.

[00:16:50] Chris Sienko: Well, yeah, like I said, at the start of the show, I, ever since I started inviting guests on the podcast to Specifically discuss industrial control systems security and then later manufacturing and infrastructure and uh related areas, it's been one of my favorite targets to explore because it's It's such a crucial.

Um space to keep secure and safe But it also gives professionals opportunities To kind of connect their talents and passions with challenges that I feel like have countrywide and even global implications So obviously food and egg is like right at the top of that list Uh, so let's start with some basics like what are From a security perspective, what are some common targets when it comes to food production?

And like, what are hackers trying to break into, basically?

[00:17:31] Jonathan Braley: Yeah, uh, I think there's a couple angles to this. So, um, we kind of have different buckets of threat actors and a lot of that is based on where, well, I guess who is sponsoring them, but really it's what their motivation is, right? So you have financially motivated threat actors. You've got some that are geopolitically motivated.

They're getting the backing of a, you know, a nation state to try to achieve certain strategic objectives. And then there's this ideological, uh, aspect to it too, with some of the hacktivists and for food and ag, that could be to global tensions, but there's also certain groups from a, you know, animal perspective where they're dealing with threats from that as well.

[00:18:13] Chris Sienko: Mm hmm.

[00:18:14] Jonathan Braley: um, know, cyber criminals that are financially motivated, they are often very opportunistic. So. It's hard to say that any of these groups are specifically going after Food and Ag, but I think just by the nature

[00:18:27] Chris Sienko: Right.

[00:18:28] Jonathan Braley: their widespread, you know, attack patterns,

[00:18:30] Chris Sienko: Okay.

[00:18:31] Jonathan Braley: doing things like invoice frauding.

They're doing ransomware. They're just doing phishing and business email compromise. And I think food and agriculture companies are getting pulled in that way.

[00:18:40] Chris Sienko: Mm hmm.

[00:18:40] Jonathan Braley: there are those sophisticated actors, some of the nation state backed ones. And, um, there's a couple of reasons they might attack food and agriculture companies.

There is. Sensitive intellectual property that the sector is known to have. So an example is some of the genetic work in food and ag, it can take, you know, a decade to develop, um, know, certain seeds, right?

[00:19:02] Chris Sienko: Mm hmm. Hmm.

[00:19:05] Jonathan Braley: that. So these adversaries might try to steal that intellectual property so that they can kind of bypass their own developmental timelines. Um, they might be looking for a competitive advantage on certain products or technologies or. Uh, might try to overthrow a certain, uh, crop or product on the market, and they might also just be looking to be less reliant on the U. S. for food. So I think that's kind of the nation state perspective. There some examples of, you know, um, if there ever was a serious global pandemic. Uh, attack, right? If we went into a real global conflict with another country, they, they could theoretically also target the food and agriculture sector to disrupt it, right? Um, that would cause some big problems for us. And then, you know, uh, they are cyber criminals, but some of these ransomware groups have been a big problem across all sectors.

I think 1 of the challenges for food and ag. Is they have this just in time delivery of of, um, products and services, right? Uh, so they can be especially disrupted by ransomware attacks. I

[00:20:07] Chris Sienko: Yeah.

[00:20:08] Jonathan Braley: are, uh, any more targeted than other sectors, but when they are a target, uh, we can see some, some big problems with that. 

[00:20:15] Chris Sienko: Yep.

[00:20:16] Jonathan Braley: I think generally, you know, the food nag, Sectors dealing with a lot of the similar problems that other sectors are I wouldn't say there's anything super specific

[00:20:25] Chris Sienko: Mm hmm.

[00:20:26] Jonathan Braley: they do have by their nature Challenges with some of the cyber attacks and that they can cause very quick problems for human health and safety and food availability

[00:20:36] Chris Sienko: Yeah, no, no, no question. So you, you said the type of attacks are pretty standard across the board. You see fishing, you see ransomware, you see business email compromise. Uh, are there any, have you seen any kind of like food and egg specific tricks or infiltration methods, methods that are sort of unusual to this industry, as opposed to say like water or electricity or government targets?

[00:21:00] Jonathan Braley: Um, yeah, that's a, it's a good question. Uh, you know, again, fishing poor patch management, those are always going to become some of the more common attack vectors,

[00:21:09] Chris Sienko: For sure. Mm

[00:21:10] Jonathan Braley: and medium sized businesses. But there is that manufacturing operational technology, industrial control system aspect of food and ag. and I've seen, you know, there's been some examples recently where food and ag companies have been pulled into, um, Some of the global tensions. So there's, there was some hacktivist groups after. Um, the Russia Ukraine situation, right?

[00:21:37] Chris Sienko: hmm.

Mm same with Israel, Palestine. Some of these hacktivist groups were going after industrial control systems.

[00:21:44] Jonathan Braley: There was a vulnerability that was found and, um, that impacted the water sector pretty heavily, but there was

[00:21:48] Chris Sienko: hmm.

[00:21:48] Jonathan Braley: and agriculture companies that were pulled in as well. And I think, um, one of the challenges with OT and ICS is these. environments were not always internet connected.

They used to be air gapped. They didn't have

[00:22:02] Chris Sienko: Mm hmm.

[00:22:03] Jonathan Braley: these connections, but we're, we're seeing a big shift for a lot of reasons where these facilities are becoming smarter. They're getting internet connected products. Now, this is a, you know, a huge swath of machines that now are going to have vulnerabilities that need to be patched going to be connected to the internet where they're going to be exposed when a vulnerability happens.

And it's, it's a little different when. your workstation computer goes down, then an entire plant gets taken down by a cyber attack. So there's a lot of challenges with it. And I think that's one of the big concerns we have as a group is making sure that those are protected, um, and, and mitigated properly.

So they're not exposed,

[00:22:45] Chris Sienko: Yeah. In manufacturing, they, they, they talked a lot about like edge computing and having these sort of far off, uh, you know, not connected centrally, but, but these, these processes, especially around manufacturing and sort of inspecting and things that could sort of, when they're way back to the source and do all kinds of awful things with escalation or whatever, I'm assuming that's, that's similar since food and agriculture is, has such a sort of mechanical component about it, that those are also probably issues to deal with.

[00:23:13] Jonathan Braley: Yeah. And IOT as well.

[00:23:15] Chris Sienko: Mm hmm. Mm hmm.

[00:23:16] Jonathan Braley: know, the, the things that used to be. of manual, like even sprinkler irrigation systems, things like that. Some of them are, are becoming connected with internet accessibility, which makes us a lot more productive. But every time you add

[00:23:30] Chris Sienko: Mm hmm.

[00:23:31] Jonathan Braley: to a device like that, it's another device that you've got to monitor.

That's going to have vulnerabilities that, um, you know, it becomes a very, you take a small environment of products that are vulnerable. And all of a sudden you've got this huge environment of lots of things that could potentially have problems. So

[00:23:47] Chris Sienko: Mm hmm.

[00:23:48] Jonathan Braley: the nature of it.

[00:23:49] Chris Sienko: So, um, one of the things I noticed when, when talking about, like, state and local government security was discovering, uh, you know, for example, like, small towns and municipalities were often prime targets for attackers for various reasons, not just their budgets, but sometimes they just didn't know that a small village like them could be the target of global cybercrime, and local government agencies.

didn't have any security posture in place just because they don't have the budget or they just didn't feel like they net they meant to and I've done a little reading on the topic of like state and local government circuit riders that travel to small towns and set up basic security for their their local government infrastructure I mean is there a similar split in agriculture between say these large corporate farms and small family farms in terms of both resource allocations but also So you having to kind of educate these smaller, uh, farms, quote, unquote targets that they, uh, you know, have these same sorts of global challenges that they're, they're larger, uh, peers do.

Yeah. And, um, you, you kind of hit the nail on the head. We hear that sentiment a lot, um, not just in the food and ag sector, but generally we hear companies say that they believe, you know, they're too small or too irrelevant to be targeted by cyber attacks, but, uh, you know, I'll tell your listeners that, uh, that's a dangerous mindset to have.

I mentioned earlier that a lot of these cyber attacks are opportunistic. These threat actors are using mass phishing campaigns. They're scanning for. Um, vulnerable publicly exposed systems. And I, I, I believe that a lot of times they don't know who the victim is until they find that vulnerability and

actually breach them right have the piece of the puzzle? Yeah.

yeah, so with, with cyber attacks, it's, you know, we often say it's not a matter of if, but when one will happen to you, um, I think that mindset's changing a little bit, but you know, that's the other challenge too, there's some really small farms, they. They don't have, uh, the resources or the IT staff to deal with some of these challenges. And I think a lot of them may not currently or haven't in the past had a lot of technology to worry about. But we're starting to see, you know, more and more technology being implemented every year. So I think sooner or later, they're going to have to start considering Cybersecurity as part of their, their kind of operational plans.

Um, because it's more than likely that they're going to have issues. Uh, so, yeah, one of our goals is to help the sector understand the risks that they face. You know, we're, we're, we're offering threat intelligence, not only to members, but we're also trying to distribute that down to the sector as a whole.

[00:26:18] Jonathan Braley: We know not everybody's going to join the ISAC. So we have done things like, uh, we partner with trade associations as well as some universities so that we are able to produce Thank you very much. Uh, weekly report, which kind of gets disseminated down to the folks that might need it. but it's a big problem.

And a lot of the larger corporations you mentioned are working directly with the smaller farms. So even if the large corporation isn't impacted by a cyber event, if they have the small ones that are, um, one, a problem from a productive standpoint, but also sometimes attack against that small partner. If there's some sort of shared infrastructure, things like that can also become a problem for the larger one as well.

[00:26:58] Chris Sienko: Okay. So pulling even further back to that, I mean, can you talk about the security threats facing food and agriculture and how, how the ones in the U S tied to kind of global? Okay. Issues around food production. Cause like you said, if, if the, a small one falls, it can take a larger one with it, but then I imagine that that can even escalate up to, uh, uh, you know, multi countries and nations and so forth.

Is that something that you have to consider as well in your work?

[00:27:21] Jonathan Braley: Yeah, definitely. The, uh, well, one, I think what's very interesting about the food and ag, um, sector and the companies we work with, a lot of them are global, right? They've got operations worldwide.

[00:27:31] Chris Sienko: Mm hmm.

[00:27:32] Jonathan Braley: one of the things I've been very impressed about working with the analysts at these companies is they have to have, that global perspective, I think a lot of. The times is analysts, you know, me being us based, we have, of have a, a selfish vision of, of what's actually going on, but they need to consider the whole impacts. But, you know, you're spot on if you had a cyber attack, um, there's some very sensitive windows for planning, planning and harvesting, for example. And, um, you know, if you had a cyber event that disrupted that, that could cause problems, um, globally, right. For,

[00:28:08] Chris Sienko: Mm hmm.

[00:28:08] Jonathan Braley: around the world, and then some of the global tensions, Russia, Ukraine, um. Russia went after, uh, uh, agriculture in Ukraine, right? Which they

[00:28:18] Chris Sienko: Mm hmm.

[00:28:18] Jonathan Braley: of products around the world.

And people had to go reach out to other countries to try to find how to get the same food that they normally expected.

[00:28:26] Chris Sienko: Right.

[00:28:26] Jonathan Braley: So, um, yeah, it's, it's definitely an interesting problem. Uh, the global. Kind of nature of it. It's food and eggs, very far reaching. We, we, uh, outsource a lot of food, uh, globally, and it's not just the U S that's going to feel impacts from cyber events, it's going to be a whole world problem.

[00:28:44] Chris Sienko: Yeah. Now, uh, you said in our introductory discussion the other week that you quote, you don't have a background in food, but you live in rural Virginia and you've been around. farms your whole life and that once you sort of started digging into the issues facing food and agriculture center, you, uh, sector, you found that it was a lot more interesting than you realized.

So, uh, for people who are interested in doing this kind of work, can you talk about the, the things you've had to learn about the production side of, of the food industry that aspiring food sector security experts will need to understand really well?

[00:29:14] Jonathan Braley: Sure. Uh, yeah, when I joined the IT ISAC, um, pretty early on, I started managing that FoodNag SIG, which became the FoodNag ISAC. And, um, I, I, I didn't know how interesting those calls would be, Mm hmm. Mm

the, you know, the ISAC was to this community. Members were sharing what they're seeing, um, collaborating on common challenges.

And, uh, you know, kind of, as I mentioned, there was large global view to this. It wasn't just the local U. S. It wasn't confined to U. S. based threats. And, um, you know, I kind of just realized how, important the sector was. And I was very impressed with the knowledge, the https: otter. ai You know, I, I, I think being near the farms now too, I have a much better appreciation for it.

And, um, when you start to really learn about the sector and how important it is, um, I think if you even look back in history, there's a lot of examples of, um, food being targeted because that's how you really put pressures on,

[00:30:15] Chris Sienko: Oh, yeah.

[00:30:16] Jonathan Braley: a society, right? So I think we need to, um, As global tensions kind of rise it's important for us to really think about food and safety and I'm that i'm able to help, you know, the food and ag sector with with dealing with some of the cyber stuff That's popping up

[00:30:30] Chris Sienko: Okay. Yeah, I asked partially because uh, so for instance when I was talking with certain industrial Control system people they were saying that to do the job Well, you didn't you just you couldn't get away with just having a security background You needed to know a little engineering. You needed to know a little bit about The sort of mechanics of how these different processes are happening And the way that your like security system is maybe affecting the timing of these things or maybe you're you're um You know testing based on like the quantity of say, you know Lie that's going into a water supply or things like that.

So I guess I was I wanted to ask if you If it's a similar thing in the food and ag sector where you don't really necessarily have to know how, uh, these sort of irrigation systems and stuff work, it's, it's more that you, you're still sort of essentially defending, um, you know, the perimeter in certain ways.

Is that, is that, is that a reasonable assumption?

I think it is, but you know, it, it all, it all kind of is the same thing, right? It's,

Yeah.

all these products, while they have different applications, they still are dealing with the same sort of threats. And,

Mm hmm.

that the analysts I work with are often defending the networks,

but they do have a really good, uh, Understanding of the production side and they are also

[00:31:49] Jonathan Braley: dealing with, 

[00:31:50] Chris Sienko: um, often there's a, a team that's, that's helping with the it security.

And then there's a separate team with the OT security, but we're starting to see a definite merger between those, especially as there's been more connections between them. but I, I'm also very impressed with the analysts ability to, I mean, you kind of a little bit have to understand. Um, food and farming and what your company is actually using, because you're

Right.

[00:32:16] Jonathan Braley: in a sense, have to protect those things.

[00:32:18] Chris Sienko: But I think the actual act of securing, um, these networks is very similar. There is some segmentation and things that have to happen because, uh, so I guess looking at ICS, one of the challenges with it, um, some of the machinery is designed to last. 20 40 years, right? So the, operating system it comes with, um, is that designed to be updated over time?

Did they? Uh, account for the new security vulnerabilities and tactics that are coming out. So I think there, there are some challenges from a manufacturing perspective of securing. and then just the nature of it, um, the, the underlying operating systems and things like that are going to be a little bit different than the it, but it all comes together.

I think, uh, they probably take a more holistic look about security. And as you mentioned, kind of putting up that wall on the outside to protect what's inside of it.

Yeah. Nice. Um, so I, uh, again, because a lot of our listeners are, are looking for their first job or, or, or, or working on their sort of career plan. Now, what is the job market like for, for food and agriculture, cybersecurity professionals? Like where, where are the jobs? Like, would you expect to be working in the government, local government, nonprofits, working for a large farm, all of the above?

Is it mostly sort of, Being under the employ of a certain organization, or is there a large freelance population, like what, what, what's the spread here?

[00:33:45] Jonathan Braley: Yeah, I, I think there's a, there's a lot of excellent opportunities for, uh, upcoming cybersecurity professionals to join food and agriculture companies.

[00:33:53] Chris Sienko: Okay.

[00:33:54] Jonathan Braley: probably more those larger ones. I don't, like I mentioned earlier, a lot of those small farms, even the medium sized ones. I don't know if they have a huge, kind of it staff cybersecurity staff to help deal with that, but there's plenty of opportunities.

Um, you know, I hear often that there's a lack of skilled people. Skilled professionals to support the larger food and agriculture companies. I know that a lot of them have job listings open right now. Um, I can't speak too much for the federal government or local government. I don't work with them as much, but I know that the private sector companies in the sector are, uh, dealing with cybersecurity.

They have very robust capabilities. I've always been really impressed with the, you know, security operation centers that these groups have. And I, I hear often that they are looking for candidates. So, um, I think there's plenty of work.

[00:34:41] Chris Sienko: Yeah. Oh, no, that's no question that there's plenty of work. Definitely. Um, so, um, you know, you, you, you said that, you know, before, uh, you know, when you were in biology, but before that, you've always been pretty tech focused and you've had access to sort of, um, you know, state of the art computers. And it's always been fascinating to you, but I guess I want to get a sense of.

Um, if there are any particular extracurricular skills that are unique to sort of the food and agriculture industry, are there any particular skills, paths, certifications, qualifications, experiences that you should be trying to get maybe when you're in your studies or just after that would be desirable?

Like, where was there anything particularly, I guess, because you had IT, ISAC in your background, but like, was there anything about your background that they saw and said, Oh yeah, this is. This is perfect for, for food and egg. Or is that, is, is there something that you can sort of show off on a resume that says, Oh, they, they definitely know that they understand this sector.

[00:35:38] Jonathan Braley: Yeah, I was a little lucky just because I I really didn't have a very good perspective on food and how it works But I learned very quickly from the members just hearing what they were talking about on a day to day But I can talk a little bit about you know From a security analyst perspective things that you would likely want if you're trying to to you know Get get a job with one of these food companies obvious things network security is great and Uh, a lot of, all these food companies, they have very typical corporate environments.

So some of the jobs are going to be the same as working for a major I. T. company.

[00:36:11] Chris Sienko: Mm hmm.

[00:36:12] Jonathan Braley: stands out to me is that many of the analysts I work with from these companies have a pretty good understanding of the products and services that are unique to food. So if you had any. Background or knowledge and protecting, you know, operational technology ICS.

I think that would be a huge plus. Um, and also I'll go back to having that understanding of global threats and motivations of certain adversaries would be big. Um, I'm a huge, uh, supporter of, of MITRE ATT& CK. I think the matrix that

[00:36:40] Chris Sienko: Yeah,

[00:36:40] Jonathan Braley: is really great.

[00:36:42] Chris Sienko: totally.

[00:36:42] Jonathan Braley: you know, you can, you can pick different adversary groups.

You can see what they're doing. Um, having that sort of experience, understanding the adversaries, Who they are, what they're doing. What are the main ones that have possibly attacked the sector before? Um, I think that's all great. then certifications and experience is good. I have gotten feedback from members that, you know, simple things like communication skills, eagerness to learn

[00:37:07] Chris Sienko: Mm hmm.

[00:37:08] Jonathan Braley: interest in food and agriculture, I think are big as well. Uh, like most jobs, there's some skills that you're expected to have, but a lot of it's going to be on the job training. They're going to have to train,

[00:37:19] Chris Sienko: Oh yeah.

[00:37:20] Jonathan Braley: anybody that comes in. But I think having, uh, the eagerness to learn, having good communication skills, having at least tried to. Um, have an understanding of, of network security and, and, and that will be a good kind of stepping stone for, for hiring managers.

[00:37:35] Chris Sienko: Yeah, awesome advice. All of it. So, um, one of the things that we hear a lot in terms of, you know, after the interview, why didn't I get the job? You know, if you're able to sort of ask and stuff, um, one of the things that I think is pretty common is that, uh, you know, an entrant doesn't really have a handle on the specific issues, either of the company they're applying to or the industry as a whole.

Uh, and this, this in particular, I feel like. Could really kind of deep six your your chances if you don't really Understand what's what's going on in in food and agriculture right now is like, where do you sort of keep up with? Issues or where would you suggest like a newcomer? Like are there certain trade publications certain websites that you check in on regularly like where do you sort of keep?

abreast of sort of changing

[00:38:28] Jonathan Braley: Yeah,

[00:38:28] Chris Sienko: issues Mm

hmm. you know, I've been running the food nag ISAC since 2017, and part of my job is finding the newest stories that as they relate to cyber and food

Mm hmm.

[00:38:44] Jonathan Braley: don't see it. I don't know if the, the sector isn't as flashy as maybe some other ones.

'cause I know that the attacks are happening. We see the

[00:38:50] Chris Sienko: Oh yeah.

[00:38:51] Jonathan Braley: but it hasn't been as widely reported on as some of the others. I'm starting to see more stuff coming out. There's a couple. You know, prominent, um, reporters that are starting to focus on food a little bit more, which is great. A lot of this stuff is, is coming from us.

So I guess the first thing I'll plug in is, you know, we have a website, we're posting reports and things like that. We have social media presence where we're,

[00:39:13] Chris Sienko: Okay.

[00:39:14] Jonathan Braley: trying to highlight what's happening in the food and agriculture sector, but it can

[00:39:17] Chris Sienko: Nice.

[00:39:18] Jonathan Braley: um, kind of difficult looking specifically for agriculture and cyber, again, They have a lot of the same it challenges, cybersecurity challenges that every other company does.

[00:39:28] Chris Sienko: Mm hmm.

[00:39:29] Jonathan Braley: ways to. Uh, do that research, getting in a habit of going on to some of those major blogs, trying to see what's new, what's happening.

[00:39:37] Chris Sienko: Mm hmm.

[00:39:38] Jonathan Braley: I'm a big fan of things like Reddit and some of those other sources where

[00:39:41] Chris Sienko: Yeah.

[00:39:42] Jonathan Braley: new stories as new attacks and techniques and vulnerabilities come out. I think, um, starting that before. You're done with college before you start applying for jobs is huge.

[00:39:53] Chris Sienko: hmm.

Oh yeah.

[00:39:54] Jonathan Braley: somebody and I, I know that they, uh, know about the latest stuff that's happening, that's always a good sign for me. So I, I definitely encourage people to, uh, be proactive on that front.

[00:40:04] Chris Sienko: Uh, this has been a great conversation, but before we go, Jonathan, I want to ask you something I ask all of our guests. Do you have a piece of career advice that you've received that has stuck with you through the years? Whether it was from a parent, or a mentor, or a teacher, or just something you read, an inspirational book.

[00:40:18] Jonathan Braley: Yeah. Um, nothing, nothing that's, uh, probably in a book, but I'll, I'll just share some, my own perspective on,

[00:40:24] Chris Sienko: Please.

[00:40:25] Jonathan Braley: own personal journey, but, um, you know, sometimes I surprise myself that I've, I've made it this far. Um, I will say I put. full effort into everything I'm working on, big or small. think another piece of advice is whenever I get an offer to help another team, join a new project, even if you already feel overwhelmed, you know, it's a, it's a good thing to do that. I think you gain a lot of new skills when you kind of work outside of your comfort zone.

[00:40:50] Chris Sienko: Oh, yeah.

[00:40:51] Jonathan Braley: and then lastly, mindset I think is incredibly important when you have a. You know, a big project, a speaking opportunity, a presentation. I often, when I hire new people and for my team, uh, it's very easy to get overwhelmed and stressed, especially if you're not comfortable doing those sorts of things before.

[00:41:09] Chris Sienko: Mm hmm.

[00:41:10] Jonathan Braley: I don't know if I learned this from somewhere, if it's just something I've done, but I try to train myself in my head to be excited for it. Right. Instead of feeling stressed or anxious, if you tell

[00:41:20] Chris Sienko: Yep.

[00:41:20] Jonathan Braley: for this opportunity, I'm excited to jump on this podcast right now and talk to Chris.

[00:41:25] Chris Sienko: Mm hmm.

[00:41:26] Jonathan Braley: that mindset and trying to be excited for different opportunities helps things go a little bit smoother.

[00:41:31] Chris Sienko: Yeah, you can never really completely get rid of anxiety, but it's, you can train yourself to sort of like hold it in one hand while you can sort of have an equal amount of excitement in the other hand and let them balance each other out. And yeah, that's, that's something you just learn by, learn by doing it over and over and over.

[00:41:46] Jonathan Braley: Yeah, that's the other piece of advice to, you know, if you're uncomfortable speaking in public, start speaking in public, because the more

[00:41:52] Chris Sienko: Mm hmm.

[00:41:53] Jonathan Braley: the easier it gets. So,

[00:41:55] Chris Sienko: Yeah, absolutely. So you mentioned, um, following the food and egg Isaac online and, and reading and learning, like where, where, where should people go to, to do that? What's the, what's the website? What's the, where, where's all the, all the links.

[00:42:08] Jonathan Braley: yeah, so we have a website it's food and ag hyphen ISAC. org.

[00:42:13] Chris Sienko: Okay.

[00:42:14] Jonathan Braley: we have membership information there if anyone's interested in joining, but there's also, you know, a whole bunch of public reports, we have a small and medium, uh, size business security guide. which I don't think I talked about that yet, but we basically built a guide for small farms. And it has 10 low cost, easy to implement things that you can do, uh, to improve your cybersecurity posture. So, uh, we can't send a small farm the NIST cybersecurity framework and expect them to do that. So we've come up with this really simple list, things that are going to put you in a better spot, won't cost you any money.

We have some examples of. Um, you know, it'll show ransomware and how applying these security measures would have prevented certain things. Um, so that's a public report. It's free. Hopefully folks will use that. We've been working with our. University partners and trade associations to try to get the word out on it. We're also, uh, we do quarterly ransomware reports, which focus specifically on the food and ag sector. We're pretty active on LinkedIn. And, um, I wanted to say Twitter, but X, 

[00:43:16] Chris Sienko: Mm hmm.

[00:43:17] Jonathan Braley: with October cybersecurity awareness month coming out, I'll be on different

[00:43:21] Chris Sienko: Oh yeah.

[00:43:22] Jonathan Braley: I worked with SZA in the past

[00:43:24] Chris Sienko: Okay.

[00:43:24] Jonathan Braley: some events they were doing, and then we'll probably be posting just on social media kind of tips and tricks throughout the month.

[00:43:30] Chris Sienko: Okay. Well, specifically if our listeners want to learn more about you, Jonathan Braley, should they follow you on LinkedIn? Do you have a, an X or any other. Sort of social media things that you want people to check you out on.

[00:43:40] Jonathan Braley: Gotcha. Yeah, I don't have a huge social media I am on LinkedIn. If anybody wants to friend me there, I'm happy

[00:43:47] Chris Sienko: Great.

[00:43:48] Jonathan Braley: that. I do do a lot of media engagement. So, um, we often do public reports, things like that. Last year I joined CISA for some webinars during cybersecurity awareness month. I suspect I will be doing that again, but, um, really probably the best bet is to, uh, follow the Food and Ag ISAC, LinkedIn and Twitter.

And often we have links to the stuff that's happening and things that we're doing.

[00:44:10] Chris Sienko: Awesome. Sounds great. Well, thank you so much for your time and insights today, Jonathan. This was a, it was great talking to you.

[00:44:15] Jonathan Braley: You as well. Thanks, Chris.

[00:44:17] Chris Sienko: And thank you to everyone who watches and listens and writes into cyber work with feedback. If you have any topics you'd like us to cover or guests you'd like to see or just want to talk, just drop them in the comments and we'll see if we can get to them.

But before we go, I just want to remind you to check out InfoSecInstitute. com slash free where you can get a whole bunch of free and exclusive stuff for cyber work listeners. You can learn about InfoSec's new career immersives, which can take you from a complete beginner to job ready in six months time.

By a combination of live instruction, hands on practice, and personalized career coaching that can fit any schedule. InfosecInstitute. com slash free is still the best place to go for your free cybersecurity talent development playbook. You'll find our in depth training plans and strategies for the 12 most common security roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, Privacy Manager, Secure Coder, ICS Professional, and more.

One more time, that's infosecinstitute. com slash free, and the link is in the description below. One last time, thank you so much to Jonathan Braley and the Food and Ag ISAC, and thank you all for watching and listening. This is Chris Henkel signing off. Until next time, keep learning, keep developing, and don't forget to have a little fun along the way.

Bye for now.