In this episode, John Martinez sits down with EmberOT founder Jori VanAntwerp to explore the unique challenges of securing operational technology environments where downtime isn’t an option. They break down the differences between IT, OT, and IoT, and why legacy systems and segmentation play a critical role in reducing risk. Tune in for a practical look at Zero Trust in systems where cybersecurity has real-world, physical consequences.
And for those in the audience—I chuckled a little bit when you mentioned UDP—it brought me back.
For anyone who has ever had a networking interview and been asked: “What’s the difference between TCP and UDP?”—I’ve definitely had that question.
That’s why it’s important to know your TCP/IP networking. Even today, with how much we do in IT being TCP-focused, there’s still a lot happening over UDP that people ignore. It’s incredibly important. ARP lives there—that’s kind of a big deal.
We’ve gotten so good at these things that they’ve almost been left behind. It’s like, “Oh, that runs perfectly—who needs to understand it?”
Yeah, who needs to understand how networks work?
So, shifting a bit more toward the security side—especially in OT environments—can you talk about the types of attacks, the TTPs?
I talk a lot about Zero Trust, and we’ll get there, but I like to connect it to attacker behavior. You mentioned gray hat hacking earlier—ethical hacking, pen testing—understanding how attackers think.
What kinds of tactics and techniques are attackers using in OT environments?
That’s a great question.
We’re a data-driven, asset-driven company—that’s our methodology. A lot of organizations are intelligence-driven, which is what you’re describing.
In OT, intelligence is important, but it doesn’t always have the same day-to-day impact. It’s less about tools and more about tactics and techniques.
There have really only been about seven major ICS/OT attacks: Stuxnet, Havex, CrashOverride, Industroyer2, Triton, and Volt Typhoon.
What’s interesting is that most of these required a massive amount of reconnaissance.
That’s actually the most common thing we see—attackers entering environments just to gather reconnaissance.
Take CrashOverride—the Ukraine power grid attack in 2016. We have indicators of compromise for it, but they’ve never been seen elsewhere. It only worked in that specific environment—and even then, it didn’t fully succeed.
An operator noticed the issue and switched to manual mode. There was no outage.
The key lesson: the attackers didn’t fully understand the environment.
Contrast that with Stuxnet, where the attackers knew exactly how the centrifuges worked. That level of research made the attack effective.
So reconnaissance is critical.
But what we see more often—especially in the news—is “splash damage.” That’s ransomware.
Not ransomware targeting PLCs or HMIs directly—but ransomware taking out the jump boxes.
In most OT environments, there’s a DMZ between IT and OT, and access is controlled through jump boxes. If ransomware hits those, you lose visibility and control.
How do you monitor your OT environment if your jump boxes are down? Suddenly you have a major issue.
Attackers often come in through IT—phishing, compromised credentials—and move laterally.
But another path is physical access. Many edge locations—pump stations, substations—aren’t well monitored. Someone can walk in, plug in a device, and that device becomes the entry point.
That’s how reconnaissance often happens.
And what’s scary is we don’t know what that data will be used for.
That’s why monitoring and protection are critical.
Ransomware is still the biggest issue. Colonial Pipeline is a great example.
They had a public-facing VPN with a weak password. An attacker guessed it, got in, and didn’t even realize what they had accessed at first.
Once they explored the IT environment and understood where they were, they deployed ransomware.
That took out the jump boxes and spread through IT systems.
Even if OT wasn’t directly compromised, the operators lost visibility—so they shut everything down.
That caused massive economic impact.
And that attack likely wasn’t even targeted—it could have been opportunistic.
That’s what we mean by “tripping over the fence.”
OT is targeted sometimes—but much of what we see is collateral damage from traditional IT attacks.
That’s a great primer.
So let’s talk about Zero Trust. If I ask 100 security professionals what Zero Trust means, I’ll get 100 different answers.
What does Zero Trust mean to you—and specifically in OT?
Zero Trust in OT is difficult because of how these systems operate.
Devices need to communicate freely at the edge, often in real time.
But at a high level, Zero Trust means only allowing communication between explicitly approved entities—whether that’s accounts, devices, or data.
There are different layers: account-level, device-level, and data-level Zero Trust.
Across all of them, the principle is the same: only allow communication between verified, approved entities, and ensure encryption wherever possible.
It’s also about verifying that a device is actually what it claims to be.
The term “Zero Trust” is a bit misleading—we’re not trusting nothing. We’re defining exactly what is trusted and why.
Right—and that ties into identity verification, which is a core part of Zero Trust.
But in OT environments, where authentication is often limited, how do you connect activity back to a person or identity?
In many cases, that “last mile” is handled through data verification rather than identity.
One approach is using something like digital twins, where the data itself becomes the source of truth.
The system verifies that the data hasn’t been altered—hashed, validated, and consistent.
So instead of trusting the device or user, you trust the integrity of the data.
At higher levels—like managed switches or centralized systems—you can apply more traditional Zero Trust controls.
That makes sense.
Switching gears—congratulations on launching Ignite Onsite. Tell us about it.
Ignite Onsite is a product bundle designed for responders, consultants, and advisors.
It includes our Ember sensor—a software-based sensor that doesn’t require a hub-and-spoke model. Everything is processed locally: ingestion, analysis, normalization, threat detection.
You can deploy it on existing hardware.
Ignite Onsite provides three standalone sensors that responders can deploy as needed. They capture packets, analyze environments, and provide actionable insights.
The goal is to empower responders and automate parts of their workflow.
That’s great.
So—what gives you joy in your job, and what keeps you up at night?
What gives me joy is helping the next generation of defenders.
We get to be the tools—the armor, the support system—for people protecting critical systems.
It’s that classic good-versus-evil dynamic. That’s what I love.
What keeps me up at night is bad information.
There’s so much incorrect or misleading information online. You can search “Zero Trust” and get multiple conflicting answers.
Even when information isn’t wrong, the way it’s presented can be misleading.
I wish there were better ways to validate information.
That’s why I use something like the Diamond Model—compare multiple sources and triangulate the truth.
Because honestly, we can’t trust everything anymore—not even reviews.
That’s fair—and especially with generative AI, bad data leads to bad outputs.
Exactly.
So what advice would you give to someone entering cybersecurity?
Cybersecurity isn’t really entry-level.
You need to understand systems first—how they work, how they communicate, what matters operationally.
Start with the basics: networking, operating systems, system internals.
Be curious. Experiment. Break things and learn from it.
You don’t need to jump straight into tools like Kali Linux. Start with understanding Windows, Linux, how systems interact.
If you can, get hands-on experience—even a cheap second computer to experiment with.
Also: spreadsheets are incredibly powerful. Learn to analyze data, logs, correlations.
That aligns with what I tell people—there’s no substitute for fundamentals.
Exactly.
What accomplishment are you most proud of?
Two things.
First, starting my own company. It’s challenging but incredibly rewarding.
Second, restoring a car.
Taking something broken and making it functional again—that’s deeply satisfying. And it connects to OT—working with real systems, physical impact.
That makes sense.
As we wrap—anything you want to share?
Yes—we have a free tool called PCAP Analyzer.
It helps identify assets, protocols, and behaviors in your environment. No cost, no strings attached.
It’s there to help people understand their environments better.
Thank you—it’s been a great conversation.
And that’s our show. Check out EmberOT and Jory’s LinkedIn—links in the description.
Thanks again.
