It’s not often you experience convergence or recognize it when it happens. For me, it wasn’t one big moment, but a series of encounters that didn’t seem connected until I looked back. An AgSec conference. A question from my daughter about wildfires. A Department of Energy conference presentation from an INL expert. A long phone conversation with an insurance industry veteran. Written out like that, I started to think, “These threads might actually tie together.” But in real time, we don’t typically think that way. That’s probably why history so often repeats itself.
Last week, I had the opportunity to attend sessions at Grand Farm in North Dakota, working alongside Andrew Rose and the BIO-ISAC. I was invited to help respond to questions and commentary from attendees during a live Agriculture OT Security incident response tabletop exercise. The scenario work was dark but relevant, vividly exploring how OT vulnerabilities could be exploited to impact agriculture at scale. Andrew framed the narrative expertly, and I provided color commentary and insight on the technical and operational implications. It was a reminder that cyber risks in agriculture are no longer theoretical, they’re operationally consequential.
Just a couple of weeks earlier, I had a conversation that brought things closer to home. My daughter, who works in supply chain for a MedTech firm, asked about the recent spikes in wildfires, why they’re happening more often and whether anyone is doing anything to get ahead of them. I was shamelessly proud of the question. We talked about wildfire patterns, resource allocation, logistics, climate factors, and mitigation planning. It was a broad, involved conversation that underscored the complexity of preparing for and responding to disruptions, natural or manmade.
From Wildfires to Water Levels: Rethinking Risk
That discussion echoed into another pivotal moment for me, back in May 2023, when I attended the Department of Energy Cybersecurity and Technology Innovation conference in Minneapolis. I sat in on a presentation by Andrew Bochman on OT security. For those who know Andrew, you’ll understand the impact of what came next. At the time, I didn’t know what I was in for. His message was clear, direct, and deceptively simple: OT security isn’t about protecting data or applications, it’s about preserving the physical processes that keep infrastructure running. I left that session needing a few moments to collect myself. The implications were profound.
Later that year, I heard Andrew present again at the Cybersecurity Summit. The same clarity. The same focus on physical consequence over digital abstraction. That framing stuck with me, and it returned in force during the Grand Farm exercise when we explored a scenario involving irrigation systems manipulated during a flash drought. Disabling or degrading automated irrigation controls during extreme heat is a devastating force multiplier. It’s not just a clever attack vector, it’s an existential threat to yield, supply chain stability, and economic continuity.
These conversations reminded me of a phone call I had back in 2021 with Gerry Kennedy, known by many as “the Kraken.” Talking to Gerry is an experience in itself. He’s deep, direct, and pulls no punches. During that call, he laid out the challenges facing the insurance industry in quantifying cyber risk, particularly in OT environments. He foresaw the dilemma insurers would face: rising threat levels, uneven preparedness across sectors, and a massive exposure gap. Much of what he said was later echoed in a 2023 article by Anna Ribeiro, where Gerry remarked, “How prepared are the organizations? Preparation varies wildly from none to OT security maturity. No one is safe and the insurance industry knows that.”
Connective Tissue: Cyber, Climate, and Consequence
At Grand Farm, Andrew Rose used a powerful phrase, “connective tissue”, to describe the interplay between natural disasters and cyber incidents. That’s not just metaphorical. In a flash drought, when every minute counts, a coordinated cyber action against irrigation or supply chain controls could tip systems past the point of recovery. Whether or not it’s an “incident” by NIST’s definition, the effect is very real, and it’s physical. It moves us into cyber-physical territory, where understanding process and environment is as critical as understanding networks and protocols.
This broader framing challenges how we assess risk. Are organizations seriously tracking the full spectrum of risk factors? Beyond tariffs and fuel prices, are they actively monitoring wildfires, water levels, hurricane trends, or seasonal flooding? Nature has long been the more consistent disruptor of infrastructure, more than any state-sponsored threat actor. As Gary Hinson once asked in a resilience discussion, “Are subscribers and consumers willing to pay more for capacity and availability?” Because that’s the price of resilience, especially when natural events increasingly challenge system limits.
Consider a hydroelectric plant meant to produce 450 megawatts but cut down to 100 because the lake’s water level dropped by three feet. No cyberattack, no ransomware. Just a weather pattern. The result? Rolling blackouts and power rationing. Andrew Bochman’s message becomes real here: no flow, no power. OT security, in this context, is not about protecting digital assets, it’s about preserving the conditions necessary for physical functionality.
The Role of Insurance: Risk Incentives in a Shifting Landscape
Which brings us to the inevitable question: “Okay Paul, what’s the solution?” While we can’t solve it all at once, we can start with the physical. Declining water tables, more frequent flash droughts, and 100-year storms arriving every five years, we must adjust. That means building infrastructure with more distributed capacity and designing for availability and reliability under stress. Ironically, these principles aren’t new, they’re foundational to industrial control systems: productivity, reliability, and safety. Resilience isn’t a luxury. It’s a design goal.
At Grand Farm, we also discussed a potential catalyst for progress: insurance. Specifically, the idea that if cybersecurity controls were linked to insurance policy terms, agriculture producers would be far more likely to implement meaningful safeguards. That kind of shift might bring a tear to Gerry Kennedy’s eye. After all, nothing gets built, grown, moved, or sold without insurance. And if you’ve renewed your policy lately, you’ve probably noticed your questionnaire has grown, from 20 questions to 140.
Insurers are in a tight spot. They’re navigating the tension between protecting their policyholders and serving their shareholders. But as Mea Clift pointed out at last month’s CyberRisk Leadership Exchange, they aren’t rooting for failure. On the contrary, insurers have every incentive to ensure policyholders succeed. Proactive, measured controls benefit everyone.
