Critical Assets Podcast

Hosted by Patrick Miller

Technology News

Website RSS feed

Episodes

Latest episode

May 2026

Language

About the show

The Critical Assets Podcast covers important OT and ICS security topics with an eye toward standards and regulation to keep you ahead of your adversaries... and your auditors. Ampyx Cyber. Securing your world. See our other content such as blogs, cybersecurity news and more at www.ampyxcyber.com

Listen to episodes

12 recent

May 11, 20261 hr 0 min

Policy Pulse: Regulatory Roundtable - Cyber Strategy, Large Loads, AI & CISA in Flux

Patrick Miller reconvenes with Joy Ditto (Joy Ditto Consulting) and Earl Shockley (INPOWERD) for a tour of the past two months in critical infrastructure policy. The episode opens on the administration's new National Cybersecurity Strategy and its six pillars, with focus on the openly offensive "shape adversary behavior" posture and the asymmetric risk it creates for asset owners likely to absorb retaliation.The panel then digs into the pressures reshaping the bulk electric system: data center designation, cloud-hosted control centers running NERC standards while the underlying compute is unregulated, and the physics of computational loads that behave nothing like traditional load. Earl walks through the recent NERC Level 3 alert on large load connections, an unusually serious signal that industry processes are behind.The discussion also covers April infrastructure executive orders that release funding but ignore cybersecurity, hyperscalers displacing utilities as the top buyers of bulk electrical equipment, the multi-agency zero trust in OT guidance, and CISA's leadership uncertainty after Sean Plankey withdrew his nomination. On the AI front, the group unpacks what Anthropic's Mythos and the Glasswing response mean for vulnerability discovery at scale, and why no OT vendors are on the Glasswing list.Closing thoughts include Joy's note on satellite cybersecurity and a rare bipartisan Senate trip to China, Earl's emphasis that computational load is now an enterprise governance issue rather than a technical one, and Patrick's plea to stop making the adversary's job easy.Topics coveredThe new National Cybersecurity Strategy and its six pillarsOffensive cyber posture and the asymmetric risk to asset ownersData center designation as critical infrastructureCloud control centers and the NERC 100-series standardsComputational load, grid stability, and loss of system inertiaNERC Level 3 alert on large load connectionsApril infrastructure executive orders and the missing cyber languageSupply chain shifts and hyperscalers as the top equipment buyersZero trust principles for OT environmentsCISA Fortify guidance and CISA's current leadership statusAnthropic's Mythos, the Glasswing response, and the OT vendor gapSatellite cybersecurity and bipartisan engagement on China policyBasic hygiene: get exposed devices off the internet

February 1, 20261 hr 2 min

Policy Pulse: Regulatory Roundtable - NERC CIP, Cybersecurity Strategy, AI & Electric Sector

Welcome to the Policy Pulse Panel, a new monthly series within the Critical Assets Podcast. Hosted by Patrick Miller (Ampyx Cyber), Earl Shockley (CEO, Inpowerd), and Joy Ditto (CEO, Joy Ditto Consulting), this recurring panel dives into the most significant policy shifts and regulatory developments impacting critical infrastructure, operational technology (OT), and industrial cybersecurity. Each month, we unpack emerging legislation, agency actions, and standards updates - connecting the dots between policy and the practical realities faced by asset owners, utilities, vendors, and government partners. If you're trying to stay ahead of your auditors and your legislators, this is your monthly must-listen.https://ampyxcyber.com/podcast/policy-pulse-regulatory-roundtable-nerc-cip-cybersecurity-strategy-ai-electric-sector

July 20, 202535 min

Vulnerability Overload: Making Prioritization Work in the Real World

In this episode, Patrick Miller speaks with Kylie McClanahan, CTO at Bastazo, about the practical (and often messy) realities of patch and vulnerability management in operational technology (OT) environments. Kylie shares grounded insights into patching challenges, the gaps between IT and OT remediation cycles, and the real-world implications of relying too heavily on scoring systems like CVSS.The conversation covers CISA’s Known Exploited Vulnerabilities (KEV) catalog, exploring how it’s being used (and possibly misused) in prioritization workflows, and where the disconnects lie between policy directives and operational feasibility. Kylie also critiques the current state of vendor responsiveness, machine-readable vulnerability disclosure (CSAF), and the importance of asset and exposure awareness.This episode is essential listening for practitioners wrestling with patching fatigue, program prioritization, and the tradeoffs between theoretical vulnerability data and applied security outcomes in critical infrastructure environments.Links:CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilitiesCISA vulnrichment: https://github.com/cisagov/vulnrichmentVulnrichment, Year One: https://www.youtube.com/watch?v=g5pSVMnWD7kCISA SSVC: https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvcCarnegie Mellon SSVC: https://certcc.github.io/SSVC/CSAF: https://www.csaf.io/VulnCheck KEV: https://vulncheck.com/kevKylie McLanahan on LinkedIn: https://www.linkedin.com/in/kyliemcclanahan/Bastazo: https://bastazo.com

April 13, 202544 min

From CISO to Startup: OT Security, Leadership, and Lessons from the Field

In this episode of the Critical Assets Podcast, Patrick Miller interviews Darren Highfill, former CISO of Norfolk Southern, for a candid look behind the curtain of life as a security executive. Darren shares hard-won lessons from building and leading a cybersecurity program in a critical infrastructure environment, including how to gain executive buy-in, scale a team, and align security with business priorities. He reflects on the challenges of translating cyber risk into business risk, managing real-world incidents, and the evolving expectations of the CISO role. Whether you're in the chair now or working toward it, this conversation is packed with practical insights for anyone navigating cybersecurity leadership.Show links:Darren Highfill LinkedIn Profile - https://www.linkedin.com/in/darrenhighfill/NIST Cyber Security Framework (CSF) - https://www.nist.gov/cyberframeworkAnkrd website - https://www.ankrd.com/

January 4, 202544 min

Critical Conversations: IR, Forensics, and Regulation in OT

In this episode, we sit down with Lesley Carhart (@hacks4pancakes), a renowned expert in OT/ICS incident response and forensics, to explore the unique challenges of defending critical infrastructure against cyber threats. Lesley shares insights into how internal OT teams can better support external IR teams, evaluates global and sector-specific preparedness, and discusses the impact of regulations on effective incident response. We delve into the complexities of defining and reporting incidents, the potential for improved approaches, and actionable advice for those looking to enhance their IR and forensics skills. Lesley also gives a glimpse into the future of their work and their continued mission to strengthen cybersecurity in critical infrastructure.Show Links:https://www.linkedin.com/in/lcarhart/https://www.threads.net/@hacks4pancakeshttps://bsky.app/profile/hacks4pancakes.comhttps://infosec.exchange/@hacks4pancakes

March 3, 20241 hr 8 min

Energizing Cybersecurity Careers: Workforce Development in OT/ICS

Join us for a discussion on Energizing Cybersecurity Careers: Workforce Development in the OT/ICS Community. Guests Cynthia Hsu and Erin Owens dive into the cybersecurity challenges facing Industrial Control Systems and Operational Technology asset owners. Through open conversations, we explore everything from skill gaps and career pathways to diversity, continuous learning, and the impact of new technologies. This session aims to provide insights into developing a skilled, diverse cybersecurity workforce – starting from the ground up – with a focus on practical strategies for professionals, educators, and anyone interested in the future of ICS/OT security.Show links:Cynthia Hsu LinkedIn profile https://www.linkedin.com/in/cynthiahsu33/Erin Owens LinkedIn profile https://www.linkedin.com/in/erinowens/DOE CESER Cybersecurity Training for the Utility Workforce, free 3-day ICS Cybersecurity training for electric and ONG utility staff.  Next training event: Buffalo, NY, April 23-25,  Register at: Eventleaf | Event Registration Software and Mobile Event Apps DOE CESER CyberStrikeTM professional cybersecurity training for operational technology environments: https://inl.gov/cyberstrike/·       LIGHTS OUT – focus on Ukraine attacks·       NEMESIS – focus on nation-state TTPs·       STORMCLOUD – focus on renewable energy   DOE CESER CyberForce® workforce development program for college students focused on building a pipeline of cyber professional candidates in operational technology cybersecurity:  https://cyberforce.energy.gov/ Sandia National LaboratoryTracer FIRE (Forensic Incident Response Exercise): https://github.com/sandialabs/Tracer-FIRECenter for Cyber Defenders:  https://www.sandia.gov/careers/career-possibilities/students-and-postdocs/internships-co-ops/institute-programs/titans-technical-internships-to-advance-national-security/titans-cyber/ Cyber Defense Center https://www.cyberdefensecenter.org/

November 9, 202353 min

CIE: Architecting Infrastructure Immunity

In this episode, we take a deep dive into the world of Cyber Informed Engineering (CIE), joined by Ginger Wright, Program Manager at Idaho National Laboratory. This episode unpacks CIE's strategic efforts to integrate cybersecurity into the very fabric of engineering critical infrastructure. We discuss the evolution of CIE and how it's transforming the approach to system design. We cover the synergy between engineers and cybersecurity experts and the implementation of engineering-based mitigations. Get insights on building resilience into critical systems from the ground up.

September 5, 202359 min

One Rule to Rule Them All

Join Patrick Miller, CEO of Ampere Industrial Security and his guest Danielle Jablanski, OT Cybersecurity Strategist at Nozomi Networks as they continue their debate on the topic: "If you could have only one cybersecurity regulation, what should that be?" They cover everything from threat hunting, vulnerability management, attack surface management, incident response, breach notification, risk quantification, cybersecurity insurance, NIS2, NERC CIP, and what's best for corporate vs. public good.

June 26, 202343 min

Ghost in the Machine: a Future Look at AI and OT

Join Patrick Miller, CEO of Ampere Industrial Security and his guest Amanda Freick, CRO of Altruistic as they discuss the need for collaboration and breaking down cultural barriers to effectively utilize data and drive innovation in the energy sector with AI/ML. We also touch upon the importance of approaching generative AI and language models like GPT with a strategic mindset, understanding the specific needs and goals of the organization before implementation. Additionally, we talk about the importance of recognizing and leveraging the untapped skills and potential within an organization to drive transformation and democratize access to meaningful work.Show Links:Amanda Freick LinkedIn - https://www.linkedin.com/in/amandafreick/Altruistic Video Case Study - https://vimeo.com/733720685Tony Robbins Book, Life Force - https://amzn.to/3qTXRfj

May 11, 202342 min

Breaking into the OT Cybersecurity Field

Hear from an experienced ICS/OT Security Manager, Gabe Agboruche, on how to enter or upskill into the ICS/OT cybersecurity field. He answers questions such as… What training is available? What are the biggest obstacles? What are some common job roles? What are the best paying job roles? We also cover the asset owner’s perspective on how they can obtain and retain new cybersecurity professionals.SHOW LINKS:Gabe Agboruche LinkedIn ProfileGabe’s YouTube channel - Struggle SecurityMalware Traffic AnalysisFree Network EmulatorsICSVillageICS Village Youtube ChannelSans ICS Free ResourcesSANS ICS ConceptsDNP3 SimulatorsScapyCompTIA (Security+ and Network+ certifications)