In this episode of Modern Cyber, Jeremy sits down with Ann Dunkin, former CIO of the U.S. Department of Energy, to discuss the critical infrastructure that powers our digital lives. As data centers and AI drive unprecedented demand on the energy grid, Ann explains why "aging infrastructure" isn't always the biggest cyber risk, how the U.S. grid is actually structured (including the isolation of Texas), and why security leaders must move from "check-the-box" compliance to active risk management.
.png)
All right. Welcome back to another episode of Modern Cyber. As always, I am your host, Jeremy, and I am really excited to get into today's episode because not only do we have someone from a world that I and everybody should be really curious and wanting to know more about, we've got an opportunity to go deep with somebody who comes from that world, not only from the government perspective, but also from the infrastructure perspective, which I think a lot of us take for granted. But it is super, super important in today's world. I am delighted today to be joined by Ann Dunkin.
Ann Dunkin is an external fellow and distinguished professor of the Practice at Georgia Institute of Technology, commonly known as Georgia Tech. She's also the CEO of Dunkin Global Advisors, providing strategic business advice to companies of all sizes as well as fractional CIO services. She serves as an independent director on the governing board of Global Interconnection Group and the advisory boards for Bow Tie Security, Open Policy and CGI. And if, like me, you're thinking, oh, Ann Dunkin, I feel like I know that name. That's because during the Biden-Harris administration Ann served as the CIO at the US Department of Energy, a pretty high profile, big job. We're going to ask a few questions about that today. But she managed a five billion dollars IT portfolio and a billion dollar high performance computing budget. And she spearheaded initiatives in cybersecurity, cloud migration, and digital transformation at the DOE, aligning IT advancements with the mission to promote energy efficiency and environmental stewardship. Ann thank you so much for taking the time to join us on Modern Cyber today.
Jeremy, it's great to be here. Thanks for having me.
Awesome, awesome. I really do want to start by talking about what I mentioned in the intro, which is kind of, you know, the grid. We all live on it. We all kind of like I said, I think we all take for granted the fact that we can just walk into any room in our house, hit a light switch, and the lights come on. But, you know, we're taking for granted something that literally thousands of people work on on a daily basis. Are there any things in your mind that we should know about the grid? You know, the energy grid just to kind of start off.
Yeah. Yeah. Jeremy, I think there's a couple of things. So. So the grid is incredibly reliable. Um, we do take for granted that it's there. And when we have a blackout of any sort, you know, it's a big story, right? That you remember when, you know, the 1974 or whatever it was blackout in New York or the early 2000s blackout on the East Coast. Remember those because they're so unusual and it's so disruptive to our lives. You know, we couldn't we couldn't go a week without power. I mean, look at the poor people of Puerto Rico and the nine months they spent getting their grid back up. So so it's hugely important to us. It's also under more stress than it's ever been.
Yeah. So between climate change and the natural disasters associated with climate change and the increasing demands on the grid for power from data centers driven by AI, um, it's really unprecedented times for us looking at the grid in its modern form. And it definitely has some, some challenges. Um, a lot of aging infrastructure out there.
Yeah. Is it really is the demand the main growth demand driver really is data centers or is that something that, you know, we hear about because it's a big headline story, because of also things like NIMBYism and, you know, these data centers that a lot of people, myself included, think are not particularly attractive buildings. We know they're necessary, but, you know, nobody wants one in their backyard, for instance, because it doesn't it's not a pretty neighbor to look at, but is the is the data center boom really the main growth, uh, sector on the grid demand?
It really is. If you, if you look at the grid, our demand has been pretty flat for decades. And it's, you know, we've had brought more people on, um, more capabilities, but we've, we've found ways to be more efficient. And so it's been really stable. And now, you know, the, the projections are sort of all over the map in terms of it could be two percent, it could be twenty percent of what we're going to see over the next decade. But definitely we are seeing real power demand growth driven by AI and data centers. And I will also add that the desire to bring back manufacturing to the United States, which honestly so far has not moved the dial, right.
So, so the, the current administration is trying, um, you know, the previous administration had targeted specific things, semiconductors, other high technology that we thought was super important for national security. Um, and we were moving that dial a little bit. And so we're seeing some demand growth, say in Arizona, where a lot of those factories are, um, but this general desire to bring manufacturing back, if we bring more heavy manufacturing to the US, that will increase that load as well. So if you start thinking about, um, bringing aluminum smelters, bringing, uh, car manufacturing in greater amounts, right? All that is big demands on the power grid.
Okay, so those are big consumers to, to keep an eye out for if that stuff does end up getting a little bit further along. Yeah. Interesting. Now, you mentioned something else that I want to kind of get into and obviously for our audience with the cybersecurity focus, you talk about aging infrastructure. Whenever I hear aging infrastructure from an IT perspective, I always think about like the worst breach I ever suffered as an IT practitioner was on aging infrastructure. It was a server that, you know, honestly, was outdated past its end of life, but we were still using it. There were no patches available for it anymore, you know, no updates coming for it. And, you know, lesson learned. I got burned pretty bad at that organization at the time because I should have retired it. Is that true? Also in the context of, let's say, the energy infrastructure and the grid, is there stuff that's probably passed its sell by date?
There absolutely is. I think the interesting thing about the about energy infrastructure or any sort of big critical infrastructure is the oldest stuff isn't your problem. Okay. In terms of cybersecurity, the really old stuff, like think about a nuclear power plant. Yeah, our older nuclear power plants are almost completely air gapped. Right. Okay. And while I'm not one who wants to rely on the idea that you can airgap something. I mean, we're talking about analog controls, right? Things that are super difficult to hack into because there's nothing to hack into. In many cases, yeah.
There's no TCP/IP stack. How are you going to connect to it? Got it.
Exactly, exactly. So. So some of the oldest stuff is not a challenge. But certainly there are a lot of newer things in the grid. If you think fifteen, twenty, twenty five years ago. Um, that's where you start to see risks and you start to see risks. Bigger risks, um, with the newest things that are on the grid, because the grid used to be this very simple one way system. Um, you know, power, power goes to consumers. It doesn't come back from consumers. Um, things like that. And now you have two way traffic on the grid, uh, in terms of power. And you also have, uh, lots of IoT devices sitting on the grid.
Yeah. So I, you know, in my house in California had an inverter. Um, and that's a consumer, not only is the inverter basically a consumer grade product that, by the way, we found inverters that phone home to China. Right. Um, we've also, uh, it's on my personal network now. How secure is my network? Well, mine was pretty secure, but the average consumer has got an inverter. Maybe not. Yeah. And you've got, um, smart meters that beam out signals and people drive by and pick them up or even they don't even drive by and pick them up now. They're just connected directly to the internet. And so there's just all sorts of devices that the grid was never designed to have on it.
Yeah. But these home devices, I always think to your point about, you know, maybe you had a secure home network and I've done some work on mine as well. But I always think that the general rule of thumb is it's as secure as the defaults because for the, you know, ninety plus percent of consumers, they're going to take the thing out of the box. They're going to maybe if they're good citizens, change the default admin password on the device, but maybe not. And then they're just going to plug this thing in and go. And so, you know, that's, that's the defaults that I always think about and kind of worry about a little bit. But to your point, you know, we've got now all this flood of devices, but these IoT devices, these are generally kind of low power devices. So it's more, let's say, a data question than it is a grid demand question. Right?
Yes. That's about yeah. I've switched you from from demand right to security. Right. So yes. Yeah. Yeah. It's a someone getting into the grid through my insecure router and traversing, say to a substation controlled network or to a, um, you know, a, a control system for a section of the grid. Yeah. And then being able to do harm there.
Yeah, yeah, yeah. And one of the things, one of the challenges that I always worry about in this context, and you can correct me if I'm off base here, but you know, we've got a guy on our advisory board named Mikko Hyppönen, who's a well-known kind of author in the cybersecurity space. He's done some TEDx talks on this stuff. And he, he had this point that he made a couple of years ago and even became the title of his book. If it's smart, it's vulnerable. And the point is, you know, we've shipped out all these smart IoT devices, whether it's refrigerators, doorbells, cameras, whatever the case may be, they generally aren't getting updates. If they are getting updates, they're kind of, you know, best effort of the home consumer who, you know, again, in your case, in my case, we might look for BIOS updates and we might actually flash our devices and try to keep them up to date. But again, the average consumer probably isn't going to do that. And they ship with vulnerabilities that are probably not known at the time or and, you know, let's just give the benefit of the doubt, probably not known at the time, but get discovered later on. But then they continue to live on our networks at home. And so like, you know, this, this kind of like ocean of vulnerabilities out there is something that always kind of concerns me a little bit. Do you think about that the same way? Is that something, you know, is that kind of the direction that you think?
Yeah, I think about that. And in fact, a couple nights ago, I was checking my, my IP address reputation, just, you know, let me just see what's going on. Has anyone picked anything up that I'm not aware of, but the average person doesn't even know what an IP address reputation is, much less check to see if they're getting reported. Um, so, so yes, I, I worry, um, I worry a lot less that, you know, the control room at Southwestern Power Administration is going to get hacked or have a social engineering hack on them. Then I do that, you know, someone is just going to leave their network vulnerable. They're going to find their way into the next thing you know, um, they're in the grid control software in, in the, in the, uh, in the control center. Yeah. Um, so yeah, they're just everywhere.
Um, yeah. Now the grid itself has, uh, OT controls that have their own set of vulnerabilities that, that we worry about. But, um, you know, IoT is, is probably where we're going to get where we're likely to get burned. Yeah. And IoT has already been, you know, Pretty well established that a lot of IoT devices are used in botnet attacks and things like that because of some of these vulnerabilities. I want to come back to the, you know, kind of the national level grid for a second. And I want to get an understanding because I think I think I have a little bit of an understanding, but again, I could be off base. Is there a national grid? Are there regional grids? Is there a national grid that's composed of regional grids and there are state level grids? What's the right way to think about that layout?
Yeah, it's a complicated question. Okay. I mean, the way the best way to think about it is three pieces, right? There's an East grid, a West grid, and there's Texas, and Texas is completely disconnected from the rest of the US grid. Um, there are some really funny stories about that, including, um, so, so, so there's, uh, there's, there's some laws that say, um, if you deliver power across state lines, uh, you have to, there are certain laws about that. And years ago, someone was trying to comply with the law and ran a cable across the the river from Texas into Oklahoma, and it took them months to figure out who had connected their power grid. Um, but the other thing is that one of the, one of the, the power providers, um, Southwestern Power Administration, um, does serve power to Texas. But when they do, they shut off their connection to the rest of the grid and then they serve power to Texas and then they reconnect to the rest.
Okay. Because, um, the Texas grid, ERCOT, is isolated by law. So it's bizarre. Um, and it is a vulnerability for us because it makes it difficult to balance power across the United States. Um, and in fact, you know, that was part of their problem in 2021 when they had, um, sort of, yeah, winter 2021 when they had that cold snap that they really weren't prepared for. They had a bunch of assets offline and, um, had had tremendous loss of power and in some cases lives, Um, a few people. A lot of livestock were lost in Texas that winter. Um, partly because they didn't have the backup the rest of the grid.
East and the West interconnect in a few places. Okay. Um, and, um, it's, it's definitely not a national grid. It's a very weak interconnection. And that is also a weakness of our grid. Um, and then there are regional grid operators, um, that operate the grid within the, the interconnection area. So, um, so, you know, you have a bunch of different people operating the grid and then you have a bunch of utility companies below that delivering power to people. That's the sort of the simplest description I could give you.
Okay, okay, I'll go with it. I'm not sure that I understand all the nuance, but that's, you know, we could be here probably for days to try to understand all of that conversation.
Yeah, yeah, yeah. So so let's just go with this at this level of understanding for now. There's something in what you said that I want to try to make sure I understand correctly because you said there's some weakness in in some of the interconnectivity and obviously some weakness in Texas being disconnected. Um, but from that perspective, you know, the network security guy, I mean, he goes, well, no, there's micro-segmentation we've limited blast radius. That's a positive thing, right? But is it, am I conflating like transmission of electricity from transmission of data? And those are separate things.
Yeah. There are separate things. Your power and your data will run separately. And from a power standpoint, it is a it is a dance, right? You want as much interconnection as possible to have as much redundancy as possible. Okay. But you also want the ability to disconnect people when you start to see a problem, right? Because your goal is if you have a failure, you want to isolate that as quickly as possible, right? So that, you know, ten houses or a suburb or a city fail as opposed to taking down like what we saw in the northeast blackout in 2003. I think, where, you know, we had there was one problem and it cascaded across the entire northeast. Um, so, So the goal is both to be able to to share power and to back each other up, but also to be able to disconnect, um, quickly when needed. And, you know, that used to be entirely a manual process. Yeah. Um, and over time that's become more and more automated.
So, um, you know, you see, you see a spike in frequency because frequency spikes are a huge problem in the grid. And it's a very, very, very limited range of frequency you need to operate in before it starts to cause problems. So, you know, if someone sees a frequency drop off or frequency increase, they can make adjustments. If they can't make those adjustments, um, then they can cut off a piece of the grid and that can be done, um, by a computer now without human approval in some places, um, in order to avoid this cascading failures, uh, so an AI will continue to improve the ability to do that.
Okay, okay. By the way, fifteen minutes was our mark for the first mention of AI in today's episode. I always, just as a joke, like to kind of keep track of it.
I was slow there to get to AI.
I know you really were. But it's all good. Um, I really appreciate that understanding when you say frequency there. I mean, we're literally talking about, let's say, the frequency of an electron wave when we're talking about like the frequency range that we need to monitor for.
Right, right, right. So the US grid runs at about sixty hertz. And so you want to see it, you know, fifty nine point nine seven fifty nine point nine eight right. That sort of range.
Oh like literally that tight.
Yes. Oh wow. Okay. Tight range. And you'll see every control we ever go into. They'll be a big display that shows the frequency that the grid is operating at.
Wow. And the European grid. By the way, runs at fifty hertz, which is a huge problem when you want to share equipment. Um, like sending equipment to Ukraine, right? Transformers. They don't run at the right frequency. Yeah. So if you want to send a transformer that was built for the US market to Ukraine, you've got to retrofit it.
I guess that's the grid equivalent of the fact that my consumer electronics are one ten here versus two forty in Europe and things like that.
Yeah. Gotcha, gotcha. Um, so okay, so we've talked about a couple of different things here. Obviously, you know, just understanding the grid infrastructure. Super helpful for me. I really appreciate you taking me through that. And we've talked about some of these, let's say, IoT devices and growing demand and so on. At a high level, what are the like the macro cybersecurity concerns that you worry about? Is it that aging infrastructure? Is it the human operations? Is it the decentralization and kind of the collection of people that all have to work together to secure the grid between the East, West, Texas and the regional power? Uh, you know, utility companies, what are the things that you worry about?
Super question. I mean, I think, um, the number one thing is, um, the ability to keep, uh, nation state actors out of the grid. Okay. Um, other people are interested, but, but really, you know, if you look at. So if you look at what happened, um, with, uh, with the telcos, right? Telcos got compromised by an APT, you know, they, they had, they had this, this hacker, uh, this nation state hackers, uh, in there for quite a while and they say they're out. I mean, you can't prove a negative, but we're hoping they're out. Yeah. Um, we, you know, there are similar attacks going on on power infrastructure all the time. Um, and, um, you know, when you think about early last year with the chaos going on with DOGE, a lot of people who are in charge of, um, of, of grids and um, of grid security took their eye off the ball, right. Way down in staffing. They're a key asset. Um, some of the ISACs, uh, are less staffed and less funded. Um, super worried about, um, nation state actors getting a foothold in our grid. Um, and with the goal of being able to shut us off in the event of a kinetic war, right? And in the prelude of a kinetic war, I'm actually surprised that we've not seen any activity by Iran. Um, in our grid, um, this, uh, this, this week, you know, and they are not the best hackers. Um, but they're not incompetent either. So. Yeah. Yeah.
Um, you know, I am surprised and, uh, and, and pleasantly surprised, obviously that we've not seen any activity in critical infrastructure for them, but that's the biggest concern. And that goes back to, again, number one, social engineering, because that's the easiest way anybody gets in anywhere. Um, but also, uh, having all of the OT devices on the, on the, um, grid secure, um, things like, um, uh, programmable logic controllers and things like that. Right? Transformers. Um, transformers shouldn't have, you know, shouldn't be flying home. Um, But transformers are also made, um, in, in part in China, right? So yeah, what might be a transformer might, might be in, in any various other things we don't know necessarily. Um, where there might be an opportunity for someone to get in the network. So being able to monitor that and see it as soon as you might have, um, anomalous behavior and get rid of that. So those sorts of things, um, are just huge. Uh, and then you have the IoT stuff that is further on your perimeter that you have to worry about as well. Um, and even, you know, even the IoT things like building control systems, right? We've seen people traverse from building control system into other systems.
So, and, and from the IT network to the OT network. So making sure that, that the, that the core OT network of the grid is secure against those incursions is absolutely. I think the biggest thing anyone involved with grid security worries about. Yeah. And then, and then from there, you start to worry about things like, uh, demand and weather events and things like that.
Sure, sure. Is it fair to say that, you know, you focused on energy? Obviously, but is it fair to say that other utilities and other kind of critical services have similar, you know, parallel things, whether it's water or whether it's gas supply or things like that? Is it pretty similar kind of setup?
Yeah. So I was at EPA in the Obama administration. So I can talk about water. So we have five thousand electric utilities in this country. We have fifty thousand water utilities. And in both cases, the problem you have is that, say in electric utilities, maybe one hundred or maybe two hundred are large enough companies to have robust cyber security programs, right? Many of the other ones are small local utilities that don't have, you know, that one of the jokes was some folks, uh, from, I think it was FERC went out to a, uh, to talk to someone at a local utility and they're like, hey, can we talk to your cybersecurity guy? I'm like, oh, he's, he's mowing the lawn right now.
Yeah. That's also part of his job. Yeah.
Um, and so, you know, they have one or two people who cover all of it. Uh, well, you think about water, fifty thousand of those. Yeah. Again, there might be one hundred and fifty, two hundred that are big and robust. Yeah. And the rest are small and have very limited cybersecurity programs. Um, you know, when you look at some other segments of critical infrastructure, it's a lot better like banking, right? Yeah. Pretty much everybody in banking has got a pretty robust cybersecurity program. Um, elections, right. Every county that runs elections. So I worked, I was CEO of county, county of Santa Clara. We ran elections, right? That was a tight ship. And, and, you know, you're going to have some small counties that that may have some risks, but it's also a proportionate risk, right? So county. Yeah, it's a tiny number of votes. Um, so definitely other parts of critical infrastructure have your have challenges, but you know, um, pipelines, uh, the grid water are probably the most challenged just because there are so many players. Um, with, with limited, limited security and, you know, gas is actually a little better because pipeline operators are generally bigger. Um, but, but still, it's, it's, you know, it's a real challenge, um, from that part of infrastructure, which is water particularly different because of the, you know, the nature of water itself being, you know, much more of a local resource than a, you know, electric electrons I can transmit for n number of miles, right?
Well, yeah, I mean, if you think about, you know, they've built this one hundred years ago, they built this elaborate set of pipelines to pull water out of the Colorado River all the way down to California. And the amount of water that's lost in that process is massive. So yes, part of it is, is simply that, you know, moving water distances doesn't make sense. It's a local thing. Why would you move it in most places? Um, and I think, you know, but you could have had a system grow up with big water companies. We just didn't. We tended to stick to local co-ops, local city, county utilities. Um, that's just how the system has grown up in this country. Yeah. It's not that way everywhere. Just like, you know, there are countries that have exactly one power company, right? Yeah. That's it. Right. So it's just how our system has grown up is to be lots and lots of little local utilities.
Yeah, yeah. I want to get back to for a second to the topic of kind of the national security concerns around all of these critical resources. You know, we talked about kind of the nation states and so on is the right way to think about like, okay, what would be the primary concerns? The primary concerns would be disruption to daily lives, right? It would really be the, you know, turning off the grid, making, you know, electricity unavailable for hospitals, for critical medical services, things like that. Are there other concerns from a national security perspective that you have around nation states, or it really is kind of denial of service.
I mean, I think number one by far is that denial of service. But I would also say that that denial of service can be physically destructive. So it could be, you know, you think about. Right. Russia has very much targeted Ukrainian power for destruction consistently. Um, you could see something similar, uh, in that a cyber attack becomes, um, destructive.
So, uh yeah, Russia has consistently attacked um you know the Ukrainian power grid, you know, by bombing transformers. Um, and I don't think you're going to see anyone, uh, you know, in a situation where they're bombing our transformers, we have these lovely oceans that protect us from a lot of things. Um, but, uh, you certainly, we've certainly seen cyber attacks that can result in physical losses. Right? If you think about, um, you know, Iran losing its centrifuges to an attack. Um, you know, that, that, that I can't attribute, but we know where it came from. Um, yeah. So, um, the, the same thing could happen here where not only, uh, do we have a temporary interruption, disruption, but we have a long term disruption because a lot of transformers or other assets get destroyed, you know, and currently, I think the lead time for transformers is three years.
Oh, wow. It's not like, um, you're going to, you know, be able to get a bunch of transformers, um, out, you know, a lot, a lot of utilities, a lot of big utilities do have transformers sitting in their yards. Um, but lead times have become so long, uh, that in many cases, those transformers in their yards have now been used and they haven't been able to replace them. Um, yeah. So, so yeah, the number one thing I think that I worry about with the nation state actors is a denial of service, and you might see it as an instantaneous look at what we can do to you, or you might see it as a much more disruptive, um, experience trying to distract us or disable us while other things going on in the world.
Yeah. I mean, that's a legitimate concern and certainly something that I could imagine if I had, you know, your former role would have kept me up at night at times potentially.
So yeah. So yeah, I would comment that I would say, you know, we think that the Chinese have expressed that they're planning to take Taiwan in twenty seven. They've not been shy about that. Um, if in fact they were to do that, I think you could expect significant attacks on our critical infrastructure, uh, as a prelude to that, to try and distract us.
Yeah. Makes a lot of sense. I'm curious in your in your previous role and, you know, for those who are in that role right now, I know a lot of these, uh, utilities and kind of critical services, they're regulated, right? So they have compliance standards, they've got checklists, things that they have to go after. But I always, you know, you hear this expression, security is not compliance. Compliance is not security. It's this balance, right? Where you. Yes, yes. You have to be compliant. Like that's a obviously required. But then there's risk management that you have to think about above that as well. Right?
Absolutely. And I talked to I've talked a lot about this. When I came to the government during the Obama administration, we were really all just checking off the compliance lists and not looking at risks and really talked about that a lot. And when I came back in the Biden administration, it was clearly different. Um, which is good. Um, but as we pile more compliance on whether it's government, whether it's the private sector, whoever it is, we run the risk of people going back to only worrying about compliance. So I tell people, you know, do your risk management, do your risk register, and you can build the compliance component into that and say, you know, there's a risk of non-compliance. Um, I still might find that something is more important than complying. When I look at the whole the whole thing. Certainly for federal CIOs, you couldn't comply with everything that was asked of you. And so you had to do that risk management and not comply with everything. Compliance with with FERC and NERC and local regulations are just table stakes for utilities. They've got to do it. Um, but that does mean that they sometimes are not acting on all their highest risks because they can't stay in business if they're not in compliance. Um, so it's a huge is a huge issue when people get too focused on compliance and not enough on risk management.
Do you have any tips on how to balance that? Because it's a, it's a fine line to walk because, you know, it's like, okay, great. I've got I've got my compliance standard. I got to do great. Table stakes, as you said, I've got risk management and I've got risks that I know about. And that might be coordination risk or, you know, people leaving the organization or whatever the case may be. But then I've got a threat model that I might actually want to think about if I zoom out and I think about like, where am I vulnerable? Where am I likely to be attacked? It can be overwhelming, I think, for a lot of people, especially as they step into a leadership role. Maybe for the first time, where they're having to find the right balance because like, there is no matter what you do, there's always some risk and it's always just finding the right level of acceptable risk that you can operate and move forward. How do you think about it personally?
Yes. And before I answer that, I'm just going to say that there's a layer of complexity added to that in the power grid, because all the ratepayers want to minimize the cost of the grid. Yeah, minimize the utility cost. And so, um, you know, our, our, our utility, our grid operators are, are, are funded by ratepayers. Even the parts the federal government runs, the federal government actually put any money into it. It's all ratepayer funded. So these folks who are doing this work are operating without enough money to do cybersecurity. Yeah. On top of that problem and say, um, I think it goes back to, um, doing three things right. So first, having a strategy. Okay. Second, having an operating plan and the third, evaluating risk against your environment and those things. I mentioned risk registers a minute ago. Yeah. You know, I'm just going to harp on risk registers. It's like spend the time to understand the threats and say, you know, how likely is this going to happen? What's the impact? And, you know, however you want to do that mathematically, it doesn't, you know, it almost doesn't matter how you do it mathematically, as long as you have your own consistent mathematical formula so that you can then rank, rank, stack, you know, those, those things and say, this is, you know, my highest priority that I need to get to.
Um, and I'll add two other things on that. Right. The next one is tabletop exercises. So getting in there and getting your senior leadership committed to sitting in the tabletop exercises with you and understanding what could happen right as you walk through a tabletop exercise. Sometimes those folks, um, you know, may, may, may open their eyes a little bit. Not only do they understand their role in an event, but they start to realize, oh crap, this could happen, right? This is what these are some incidents that can happen to us. Um, so, So I'd add, I'd add that and then I'd add, you know, educating that sort of step one to the bigger problem of educating your senior leadership, educating your board. Um, so that as they look at those scarce resources, um, they're going to allocate more to cybersecurity, more to, uh, replacing old equipment, you know, whatever it may be that that's causing you a risk. Um, so that they don't just say to you, well, are you compliant and the conversation because that's a big risk. If they just say, oh, you're compliant, go away. Um, yeah, yeah, something bad's going to happen.
Yeah, yeah. Awesome. Awesome. I think that's a great framing for it. I'd love to change gears for a second as we kind of wrap up today's episode. So that's, that's your past. What are you working on now? What should people know about the work that you're doing at Georgia Tech?
Yeah. Thanks, Jeremy. Um, So as a professor of the practice, an external fellow I work in, I have four jobs, all in twenty five percent of my time. Okay. So I'm, I'm in the School of Cybersecurity and Privacy, the School of Public Policy, the Strategic Energy Institute, and the Georgia Tech Research Institute. So my job is, you know, I said when they when they invited me to come back, I said, what do you want me to do? And they're like, yeah, go be useful. Um, which is an awesome job.
Yeah. And so I mentor students. I work with faculty on mentoring a cohort of faculty in our energy and national security group where we bring folks from all across campus, um, and we give them some seed grants and then they go out and do stuff. So I'm mentoring some of those folks along with some of my, uh, great colleagues, mostly former feds and former DoD folks who are mentoring these guys. Um, I, um, guest lecture in classes, um, you know, trying thought leadership work with the national labs because we have, you know, DOE. Excuse me. Georgia Tech has over a billion dollars in sponsored DoD research. A huge chunk of of DOE research. Um, in fact, we have more sponsored research than any other university without a medical school. So, um, it's a, it's a huge research component. And so I engage in that as well. So, but mostly, you know, the fun part is, is getting to spend time with, with students and faculty and engage in what they're doing. So there's that.
And then you mentioned, I've got my own, um, advisory firm, um, where I work with companies sort of in, in the range of energy, national security, cyber security, as well as, you know, folks who want to understand government better more generally. Yeah. Um, and then, uh, my board work, so I'm on the board for a company that is dedicated to bringing moving clean power from where it is to where it needs to be. Okay. And so, uh, building underseas cables to do that with, uh, global ambitions. We're really excited about that. And I'm always, uh, you know, looking to expand my portfolio. That's sort of my, my transition over time here is to do more work and less of the advising. I also do private briefings and speak at events. So, you know, I just busy as ever.
Yeah, yeah, it sounds like a lot. And I don't know where you found the time also to write a book about industrial digital transformation, but maybe just, you know, give us a couple of quick minutes about what that book was about.
Yeah. Well, that book was, was our pandemic project. We didn't know it was going to be a pandemic project. We started it right before, but that was very convenient that it was so industrial digital transformation. I was thrilled to be able to write with my three co-authors. And it's basically even though it is a pandemic project, I had someone read it recently and come back to me and say, this is still is this is still brand new.
This is. Yeah.
But it's about basically how you can, um, from both the hardware and the software standpoint, transform your organization, uh, for, you know, we call it Industry 4.0. So it is, It is really. There's a map for a variety of different technologies. We also talk about culture and public and private sector and how you how you drive transformation. So it's not simple, simply the technology. Although we talk a lot about technology, it's also the people and the culture and the, you know, how to actually get there from a planning standpoint. So, um, super fun to write it, uh, really enjoyed it. And you know, lately I've been, excuse me, writing lots of short stuff. So, you know, getting ready to go back to, uh, another book one of these days soon.
Awesome, awesome. And I'm not at all surprised to hear that it's still as relevant today as it was, you know, kind of five, six years ago during lockdown. Because as we said at the beginning, these are big, complex systems. These are not systems that you transform overnight where you say like, oh, well, we're going to move to the cloud next week. No, I mean, these are big, complex systems with with very much, you know, criticality on them. So these are things that have to be very carefully planned out because literally lives depend on the systems that you're talking about. So yeah, again, not at all surprised to hear that that takes some time to transform.
Yeah, very much so. Thanks.
Yeah. Awesome. Awesome. Well, we will have links to your research and your profile over at Georgia Tech as well as I think your LinkedIn profile for anybody who wants to learn more about, you know, and kind of keep up to date with the work that you're doing, some of your publications until then, I would say, you know, signing off from the Modern Cyber podcast. Ann Dunkin, thank you so much for taking the time to educate me and our audience on the grid, on some of the threats, some of the risks, some of the management, all the things that we, again, take for granted but are such a critical part of our daily lives. Thanks for taking the time to join us on Modern Cyber.
Thanks, Jeremy. It was a lot of fun.
Awesome, awesome. To our audience rate review. Like subscribe, all that good stuff. Please share this episode around. I really think it's important for people to understand that, you know, we all work in IT. We all work in cybersecurity. None of that happens without electricity. So take the time to share this episode with somebody else who is working in the space to get an understanding for what we all take for granted, and we'll talk to you next time. Bye bye.