Critical Assets Podcast

Patrick Miller

The Critical Assets Podcast covers important OT and ICS security topics with an eye toward standards and regulation to keep you ahead of your adversaries... and your auditors. Ampyx Cyber. Securing your world. See our other content such as blogs, cybersecurity news and more at www.ampyxcyber.com

Episodes

  1. Vulnerability Overload: Making Prioritization Work in the Real World

    07/20/2025

    Vulnerability Overload: Making Prioritization Work in the Real World

    In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS. The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness. This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments. Links: CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities CISA vulnrichment: https://github.com/cisagov/vulnrichment Vulnrichment, Year One: https://www.youtube.com/watch?v=g5pSVMnWD7k CISA SSVC: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc Carnegie Mellon SSVC: https://certcc.github.io/SSVC/ CSAF: https://www.csaf.io/ VulnCheck KEV: https://vulncheck.com/kev Kylie McLanahan on LinkedIn: https://www.linkedin.com/in/kyliemcclanahan/ Bastazo: https://bastazo.com

    36 min
  2. Energizing Cybersecurity Careers: Workforce Development in OT/ICS

    03/03/2024

    Energizing Cybersecurity Careers: Workforce Development in OT/ICS

    Join us for a discussion on Energizing Cybersecurity Careers: Workforce Development in the OT/ICS Community. Guests Cynthia Hsu and Erin Owens dive into the cybersecurity challenges facing Industrial Control Systems and Operational Technology asset owners. Through open conversations, we explore everything from skill gaps and career pathways to diversity, continuous learning, and the impact of new technologies. This session aims to provide insights into developing a skilled, diverse cybersecurity workforce – starting from the ground up – with a focus on practical strategies for professionals, educators, and anyone interested in the future of ICS/OT security. Show links: Cynthia Hsu LinkedIn profile https://www.linkedin.com/in/cynthiahsu33/ Erin Owens LinkedIn profile https://www.linkedin.com/in/erinowens/DOE CESER Cybersecurity Training for the Utility Workforce, free 3-day ICS Cybersecurity training for electric and ONG utility staff.  Next training event: Buffalo, NY, April 23-25,  Register at: Eventleaf | Event Registration Software and Mobile Event Apps   DOE CESER CyberStrikeTM professional cybersecurity training for operational technology environments: https://inl.gov/cyberstrike/ ·       LIGHTS OUT – focus on Ukraine attacks ·       NEMESIS – focus on nation-state TTPs ·       STORMCLOUD – focus on renewable energy     DOE CESER CyberForce® workforce development program for college students focused on building a pipeline of cyber professional candidates in operational technology cybersecurity:  https://cyberforce.energy.gov/   Sandia National Laboratory Tracer FIRE (Forensic Incident Response Exercise): https://github.com/sandialabs/Tracer-FIRECenter for Cyber Defenders:  https://www.sandia.gov/careers/career-possibilities/students-and-postdocs/internships-co-ops/institute-programs/titans-technical-internships-to-advance-national-security/titans-cyber/  Cyber Defense Center https://www.cyberdefensecenter.org/

    1h 8m
  3. Simplifying ICS Security Metrics

    03/09/2023

    Simplifying ICS Security Metrics

    Getting started with ICS and OT security metrics can be hard. What do you measure? How do you represent it? Do you even have the data? In this podcast, we talk with Erin Torruella to share her experience from building and managing metrics for multiple different sectors. She provides great advice on where to start and how to get the effort going in the right direction. ChatGPT response was… Operational Technology (OT) and Industrial Control Systems (ICS) are crucial components of critical infrastructure, and their security is essential for ensuring the safety, reliability, and availability of essential services. To measure the success or failure of an OT/ICS security program, several metrics can be considered, such as: 1. Vulnerability Management Metrics: This metric measures the number of vulnerabilities identified, the number of vulnerabilities remediated, and the time it takes to remediate the vulnerabilities. 2. Incident Response Metrics: This metric measures the effectiveness of the incident response process. It includes the time it takes to detect, contain, and resolve an incident, as well as the number and severity of incidents. 3. Compliance Metrics: This metric measures compliance with relevant security standards, regulations, and policies. It includes the number of audits conducted, the number of non-compliances identified, and the time it takes to remediate non-compliances. 4. Risk Management Metrics: This metric measures the effectiveness of the risk management program. It includes the number and severity of risks identified, the number of risks mitigated, and the time it takes to mitigate the risks. 5. Awareness Metrics: This metric measures the effectiveness of the security awareness program. It includes the number of training sessions conducted, the number of employees trained, and the level of understanding demonstrated by employees. 6. Asset Management Metrics: This metric measures the effectiveness of the asset management program. It includes the number and types of assets identified, the level of asset classification, and the accuracy of the asset inventory. 7. Performance Metrics: This metric measures the performance of the OT/ICS infrastructure. It includes uptime, availability, and response time. Thanks for listening! Show links: Erin Torruella... LinkedIn - https://www.linkedin.com/in/erin-torruella/ Twitter - https://twitter.com/LadySqrrl Mastodon - https://infosec.exchange/@ladysqrrl JD Christopher SANS talk on ICS Security Metrics - https://www.youtube.com/watch?v=gIsLP_Dtv7M JD Christopher SANS blog post on ICS Security Metrics -https://www.sans.org/blog/mature-ics-security-with-metrics/ S.M.A.R.T. Methodology - https://en.wikipedia.org/wiki/SMART_criteria DHS CISA Cross-Sector Cyber Performance Goals - https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

    44 min

Ratings & Reviews

5
out of 5
2 Ratings

About

The Critical Assets Podcast covers important OT and ICS security topics with an eye toward standards and regulation to keep you ahead of your adversaries... and your auditors. Ampyx Cyber. Securing your world. See our other content such as blogs, cybersecurity news and more at www.ampyxcyber.com

You Might Also Like