At the end of the day, you're running on information, and you're running on that information why it's not just to get from point A to point B and to do it safely on with speed, but because it's a business. And so, cyber security is a business decision. It's a business risk. Welcome to Embracing Digital Transformation, where we explore how people process policy and technology drive effective change. This is Dr. Darren, Chief Enterprise Architect, Educator, Author, and most importantly, your host. On this episode, Maritime Cybersecurity, Managing Risk and Cyber Threats, with returning guests Betsy Freeman and Special Guest, Brock Hashimoto. Betsy Brock, welcome to the show. Thank you. Thanks for having us. Hey, everyone that lists, before we dive in today, people should know we're going to talk about cyber security and the transportation realm. Specifically, that's a really cool stuff going on up in Michigan that we're going to talk about. But before we go there, everyone that listens to my show knows I only have superheroes on the show. And every superhero has a background story. And Betsy, you've been on the show before, but I don't think people have heard your background stories. So we'll start with Betsy. What's your origin story? Well, I'll scare you with this. And I'll start with the back part and come forward quickly. United States Air Force Active Duty Officer for many years went into, left the service right after, does shield does storm. I was the last time I was at the Pentagon. Went to big industry out to Pricewaterhouse and through its merger, Pricewater Scoopers for about a decade after that. And then returned to my first love in the DOD and was fortunate enough to serve for on the executive staff of two secretaries defense in the DOD back at the Pentagon one more time. And then retired from the space at the Pentagon as a deputy CIO in the DOD CIO, quite a few years later, then came back to Michigan, which is home. And founded two businesses, one which was radius advisory group. And I still have that it's a management consultancy. And what I'm really pleased to talk about today with Brock is our role as a synergist mobility accelerator, a 501 C3 nonprofit that that is based here in Michigan. Now Betsy glossed over the dead body she left in her wake. Oh, me. No, I'm just kidding. No. Betsy is a force to be reckoned with. Very, very dynamic. Thanks Betsy for coming on the show again. We're going to have a lot of fun today. Brock, your newcomer to the show superhero. Obviously, as I only have superhero's what's your background story? Yeah, sure. Uh, yeah. So I got into maritime space on the Kings Point graduate and direct commission into the Coast Guard. I did 11 years active duty in the Coast Guard as a as a marine inspector, all things maritime related. And transition to the reserves in 21 and and master out a little bit from Fortune 70 companies to startups to everything in between and started started, and I was a C group about three years ago and just decided to take my knowledge that I learned in the Coast Guard and all my experience and and jamming into a business because I saw the need for kind of the niche thing that I that I see offers and and decided to grow it and actually partnered with a couple of co sees that I station back way back when with and been in touch ever since and in any way, you kind of jammed all heads together and started our legacy group and and he we are today three years later. And just just getting started so happy to happy to be here and happy to talk about what we got going on on the cyber security front. So yeah, when when I hear maritime and cyber security, I never put the two together. Right because right I mean, especially commercial maritime right we're talking moving people and also cargo and when I think of moving people, I only think of cruise ships, but we know that's not true. There's fairies and there's a whole big huge industry, but when the world does that have to do with cyber security mean cyber security is the digital world what I mean, come on. I mean, unless you're moving data centers, are you moving data centers on barges or something? I mean, maybe I can start about cyber security there. I don't know. Yeah, yeah, why is it a big deal Brock because obviously it is I mean you're making a business out of it. A poor a portion of the business. Yes, for sure. Yeah, so you know, for the longest time ships, you know, weren't connected to the internet and everything else around the world. When you were when I was sailing around a cadet, you know, email would come through once, once maybe once a day and it would come through satellite and it was very limited on how you were connected when you were underway at sea. And even import you were, you know, buying a SIM card from from the agent and putting it into your phone and all you know getting phone cards and all these things, but you know, here we are, you know, 20 years later and everybody wants to be connected constantly, you know, with with starlink with the approved satellite communications. You know, it's just easy. It's easy to be connected and, you know, not only the crew, but the owners want to be connected to their ship. They want to see what's going on. They want to be able to monitor systems. They want to be able to do those things and communicate with those systems on board. Like they haven't ever really been able to do before and so with those constant communication feeds going in and out data being transferred. There's definitely a threat level there to be hacked and we've we've seen that throughout throughout here in, you know, the release 10 12 15 years, you know, we've seen that happen from GPS spoofing to GPS denials to how all kinds of things and it's just an evolving lens. It's an evolving landscape and the longest time, like I said, it was just not not connected. That was the beauty of me underway. But now everybody wants to be connected and it's easy. So yeah, just when you can take over a ship. Yeah, so Brooklyn, let's talk a little bit about that. And Betsy, please weigh in with your experience in Department of Defense and being a CIO Department of Defense. Cybersecurity has so much been in the IT side of the house, not necessarily on the operational technology side. Is that still the case? Betsy, that the main focus is on the IT side, even with maritime or we start to see a convergence happening. I think you are starting to see a convergence. I think the key thing here is is that whether you're talking about security on a military platform, whether you're talking about on a recreational boat on a ferry on a barge that's moving something for one part of the world to the other. People want to do it with speed, accuracy and safety. And they don't want to think about the digits and about what could get them and what could they just want to do the job. And I think that's the part that Natalie is part of and has been for I think for a lot of years now. I work this as a deputy CIO, not the duty CIO, but the deputy CIO, one of the deputy CIOs. What we constantly looked at is how how can you do the balance between the regulatory things like compliance and also be secure because those are two different things. Same thing in our commercial world, you look, you take an airline flight, you take a ride on the bus, you go on on a railroad for a visit to a sister across the state or two states away. You don't want to have to think about can I use my phone, can we get there safely, are we going to this, are we going to that? That's what this does. It's a it's a seamless integration between the IT and the OT. There is a very big difference between information technology and cyber security. And so people still get those confused many times in business. Sometimes it gets confused in other quarters too. But the convergence of those things to your point is so close now that you really it doesn't make them the same thing. It just means that they were highly dependent. It's an ecosystem of all the things that we run. And this is kind of breaking down the traditional and Brock, you already kind of mentioned this. This is breaking down some of the traditional isolation that existed on ships, right, and in the OT space, right. If I don't have connectivity, no one can hack me. Right. Except for maybe GPS jamming, right. But even with the GPS jam, I have other techniques I can use to find out where I'm at. Bring out the sextant, bring out, you know, a compass. I can figure it out, right. But that's all like Betsy said, that's all converging. So now these ships are starting to rely a lot more on IT to know where they're at, what speed they need to go. But there's also another boundary on the ship between the operational side and the IT side. Is that boundary still intact or are they starting to merge those two like the things that control the engine or the things that control cargo, you know, temperature or, you know, anything that's controlling the physical world. Are they starting to break down those barriers to or are those still intact. So I would say, yes and no, there's still intact for now, but there's there's this constant push to know no more, no more, right from the shore side. The vessel operators are there seeing it live, but, you know, the charters want to know what's going on. The operators, the owners, they want to know, you know, what's going on. So they can monitor things. So this big push to push data off the ship. To let those people know what's going on, what, you know, all these things. Yeah, I would say it's it's it's it's linearity now, but it's quickly becoming merged together very quick and fast. Yeah, you're in it all comes down. I'm sorry, go ahead. Go ahead, that's he. Yeah. I was going to say it all it all comes down to the point that it doesn't matter if you're still using a paper tablet and a sextant or whether you have a transportation management system that's an app on on the ship. At the end of the day, you're you're running on information and you're running on that information. Why it's not just to get from coin a to point B and to do it safely on with speed. But because it's a business. And so cyber security is a business decision. It's a business risk. And so it has to I think that's the biggest thing in the in the if you if you will in the in the landscape that's emerging. And I'm thrilled to see it in the marine business because there's there's a lot of a lot of reluctance in many other areas in the world and transportation. Right. You don't see total solutions in anything else yet. There's a there's a railroad conference coming up in in Washington DC next month that's that's about cyber security. That's shocked me. Yeah, it's like wow. Okay, because people are starting to figure out that this is not just something that sits on the side and it's not just an IT responsibility. It needs to be the impact for the operation of your business. And so to your point, when something starts to impact the operation of the business, now you're talking about return on investment. You're talking about a bigger business risk from reputation and financial and legal and all of those areas. And as that happens, this stuff will converge and it won't be nearly as as bifurcated, I think as it has been. So we're starting to see that happen. What impediments are you seeing out there that slowing down the adoption of cybersecurity best practices in in this space. Because there's obviously something that has slowed it down. Otherwise, it would have already adopted it. So what what are you seeing out there causing the slow down. So I think from from my perspective is what I see is the maritime industry is rooted in tradition to its own fault. That sometimes. Yeah, right. So. All right, wait, I got to stop there for a second tradition. So do you still get keelhold if you do something bad in. Depend, depend on. Yeah, no, we just get the blog. It works good, right? Yeah, right. Yeah. Yeah, look at that. Yeah. Yeah. Yeah. You are right. Tradition tradition plays a big role here. So culture, right, is a big is a big play. Yeah. Yeah. Yeah, culture plays a big role. I mean, fortunately, we're seeing a big word of very interesting turning point in the industry right now. And in involving new technologies and integrating new technologies into the maritime space. And you know, with that comes a different thought of how we deal with these new technologies and creating this cybersecurity into traditional ship systems, which have been, you know, traditionally. And we're not off the grid, I guess, people, right? But I think the slowness to adopt. So we've been, they've been trying to push, you know, the international society and class societies have been trying to push cybersecurity for a long time. And I think it's just the reluctance to admit that. Yeah, these vessels are there is a threat there. It just never was really thought about. I don't think. And I think a lot of people just don't understand what the threat is. So they just scoff it away. You know, like, I don't really get it. So, you know, it's not going to happen to me. Like, we'll figure it out when it happens right or. So are there any international bodies that are kind of pushing for better cybersecurity in, especially the thing that comes to my mind is cargo. These massive cargo ships. And if someone were to tank over one of those ships, you could do a lot of damage to a city to, you know, hundreds of millions of dollars of merchandise. There's a whole bunch of risk involved here. So we're seeing any international standards or international pressure being put on. On adopting better cybersecurity best practices. Yeah, yeah, the international maritime organization has been has been pushing cybersecurity for a while. And through classification societies, which are basically the, I would say, the overseers of international regulatory compliance is, is how that, how that works. And, you know, with, with the backing of the IMO and class societies putting out class rules about how to deal with cybersecurity. Yes, it's, it's been pushed internationally. And it just really hasn't hit the US with the same power as it has internationally, just because the Coast Guard actually, you know, regulates all of all of the commercial airtime commerce. And, it's not regulated by the Coast Guard. It's, it doesn't really apply to, to our US fleet here, US flag vessels. So, you know, last year in 2025, the Coast Guard finally published and made interregulation, some cybersecurity rules and standards that are coming into effect. And I think that if it's not, you know, if it, if it isn't required, it's just not more often that it's not going to be done. So, there has to be some requirement, some regulatory backing to really push that piece forward with with with anything. Especially in the management industry, but, you know, the cybersecurity thing, I think having the Coast Guard finally pushed those regulations through making it mandatory is, is the, is the horsepower that's going to get everybody in compliance because now they have to. There's no, there's no, it's under what's about it. Yeah, this is like pushing peanut butter through a funnel. The number one issue, and I do this still when I go and speaking engagements because people ask me the question, what's the number one thing that is a barrier to success with this? And I take my compact out of my purse and I open it and I turn it and I say, right here is a barrier. And I salute the Coast Guard for stepping up to do to put the teeth into this to actually make it mandatory. But at the end of the day, it does, it does come back down and you said it, Darren, it comes back to the word risk. You could delete the word cyber security from anything security is the key cyber is part of the overall security of the of the operational side of the business of the IT side of the business of the economics of the brand. That's really interesting, Betsy, because you brought up an interesting point. Everyone knows if you're, if you're sailing off of the coast of Northern Africa, East Northern Africa, small area. Yeah, you have to have protection. Or they're going to take your ship. That's just, I mean, we've seen it time and time again. Do we need, do we need a big event in the maritime where someone, someone has hacked the ship and taken over control for people to stand up and say, oh, maybe we should do something outside of security. Or do you think they're going to make that shift on their own? Well, I think Brock and air both open that that ship tampons on its own. You can see that I want to tap on its own too, but yeah, you can see the telltale signs of all of that. And it's not just in the in the maritime business, right? It's in all business. But look at maritime alone. Look at the security of ports. You brought up the security of the ship itself. What about the security of the containers? The containers on the ship have have computers in them, you know, monitoring what's in there. So something could happen with that and the container can blow up. Most of the transportation management systems. What are they? They're apps. And so we know apps can be hacked. And what are those transportation management systems do on the commercial ships that have them? They actually run the ballast on the ship that you know, they keep it, keep it steady in the water, right? So it doesn't go well. We're there. And they run all of the functions. So again, it's it's this is about, you know, operationally, if something's going to stop my business. And in this case, we're talking about marine business. If something's going to have an impact on my ability to operate the business, which is my ability to make money and to generate money, right? And deliver goods and services as I've committed to people to do via contract. Then I got a big business problem. Cyber security is part of that. Yeah, no, I can see that. So how are you guys out there evangelizing? Is that your main thing right now? Get out and evangelize, teach people in the maritime industry. What is real cyber security best practices? What, you know, how is it different than traditional IT? Because it is different. I mean, you're talking about some OT stuff here, right? And you're talking about, you know, the real world. It is a different story. So is that where you guys are focusing right now is on education and evangelism? Or do you have solutions that I can go rock? I'm going to start my own cargo business. I want to build security in. Give me my security, you know, just hand me like a container. I hand it in all of a sudden my maritime business is ready to go. Is it that easy? What, what's your guys' approach here? Yeah. So, so your point teaching is definitely an important piece. Being educated about what, what all this is. But you know, our solution is we're kind of, we're kind of past the teaching phase. Because now we have regulations that are in place that you require people to be compliant from. We've been talking more mainly vessels, but this also affects all regulated facilities in the US as well. So it's a massive. On the, I mean, we haven't had this baby of a maritime security shift since MTSA was formed back in 2004. So, and that was all physical security. That's like something tangible. It's easy. You can stand up offense one day and be good, right? Like it's, you know, and there was, there was a lot of, a lot of pushback and waiting to the last minute with even just with that, you know. So, you know, cyber is a whole different animal. It's not tangible. You can't just put up offense one day and call and be compliant the next rate. It's not that easy. And so we've recognized that and I'm not a cybersecurity expert by any means, but I am a compliance expert. And that's, you know, kind of where we, we have formed this, this alliance together to kind of partner to bring a one stops up one stop shop solution to the industry. Basically, you know, we have the technical cyber compliance piece of it, the vulnerability assessments, all the things the technical side that goes into it. We have the compliance piece that comes after and then we have the continued, you know, support after you implement the plan and that's required for the regulation. So again, we're just, we're offered a service to be a one stop shop. You only have to think about it. It's kind of like a done for you model. Because it is, it's not again, it's not something you can just walk into and put up offense, put up a security guard to call today. So it takes such a long going. So it's, it's more of a relationship that you have with these. It's not a turnkey. I buy it off the shelf and I'm done. It's a long relationship that you're formed. And this is where Betsy and Betsy's organizations have come in to help as well, right? Yeah. Yes, absolutely. We were very fortunate that that Argusy invited the synergist mobility accelerator to come in on this with our cybersecurity expertise. At the end of the day, I think the, the, the shift here is about the mindset. But the time for evangelizing is almost over. We've been evangelizing in the cyber business for 20 years. You know, you can tell people, but until it hits, it hits them, they, they're not sure they really need to do something. So we, we got together and said, you know, let's skip that step. Because if you don't believe, you don't believe, but to Brock's point, compliance is compliance and the government's going to require you to do that. And that's a good thing in this particular case. So we joined together and and Brock's challenge to me was, hey, you have to find something big businesses one thing. They have assets. They have, you know, resources. They can paper things. They can take the big scale stuff, right? That needs to be done. Even mid-tierers have a much greater ability because they have, you know, cyber security staff or even just security staff. And at least they have a point of contact within the organization. He said, you, you figure out what the small business solution looks like. Because he said, that's where I've got owners that have a boat in two barges, or a half a dozen boats or a boat in a facility, right? And guess what? They don't have time. They don't have money. And you know what? They don't have the knowledge to do it. They're not the expertise, yeah. And so yeah. And so what do you say? You know, I have a small business. I started a small business. And my answer to that was, and I'm in this business. I don't have time for that. Who's got time for that? Right? And so, and so no. So I think I think that's the challenge that they gave to us. And we feel like we met the challenge in that we're trying to bring together now under this really great partnership, which we call tried and shield alliance. Compliance expertise, our cyber security expertise and learning to roll it up into the compliance type formats that are required by the Coast Guard for maritime systems and. And so we're trying to get a lot of vessels and facilities. And to get that little small business net out there too, because that's the part that always gets lost. And they have to be compliant too. So we put a lot into that with Argusy and they've allowed us some great flexibility to try to figure out things that could actually meet their clients where they're at. And how you guys have taken this approach instead of trying to build up all the expertise in one place that you're forming these alliances. I think it's a great way to go because you can still focus on what you're good at. And bring together, you know, this whole thing. You guys, this has been wonderful. I never thought I'd be talking cyber security and boats. Was not on my radar, but I know anytime Betsy calls me, I pay attention. And I'm always smart to pay attention to Betsy. She always got, she's always got great ideas. Always can bring great people to the show. So Betsy, thank you for this and Brock and Spino pleasure speaking to you today. I have people want to find out more, where do they go to find out more about about maritime cyber security, especially from a midsize small company. Where do I reach out to get information for you guys? Yeah, you can, you can reach out to us. We have a page on our website, Argusygroup.com slash cyber security. Find out all of our information regarding the Trident Shield Alliance and links to Betsy's the Synergist mobility and the cyber security experts that we work with over there. And as long as along with our website and our specialties as well. So we start with Argusy because at the end of the day, they are the leader in terms of compliance. And if you're already working with them, great, if you're not, you should be because then again cyber becomes one more element of your compliance. It's not a separate thing. It's not something else you have to do. It rolls right into the systems and the compliance and the way they do things. And it's one of the reasons why we are, we are really privileged to be kind of in the sidecar there, if you will, and to bring the cyber expertise. Well, that's awesome. Betsy, thanks again, guys for coming on the show. Thanks for listening to Embracing Digital Transformation. If you enjoyed today's conversation, give us five stars on your favorite podcasting app or on YouTube. It really helps others discover the show. If you want to go deeper, join our exclusive community at patreon.com slash Embracing Digital, where we share bonus content and you can always connect with other change makers like yourself. You can always find more resources at EmbracingDigital.org. Until next time, keep embracing the digital transformation.
