“When I talk to people and they ask me, ‘well, where do I start?’ Well, you start with understanding your environment first. What do you have? What do you need to protect? This piece of equipment goes down. What happens to your environment?” - Jim Montgomery
Bryson Bort is joined by Jim Montgomery, Director, Industrial Cybersecurity Solutions at TXOne Networks. TXOne provides network-based and endpoint-based products to tackle security vulnerabilities across industrial environments. With decades of IT security experience, Jim now leads TXOne’s work protecting Operational Technology environments across critical sectors like automotive, oil and gas, pharma, manufacturing, and semiconductors.
How can we defend against threats that are already embedded within our systems? What are the most immediate and significant risks facing our critical infrastructure today? And how can operators begin to secure their networks?
“Let's start with the basics. Let's start with understanding. Let's start with making it hard to get into your environment, and let's start discouraging that type of behavior from attacking your environment,” Jim said.
Join us for this and more on this episode of Hack the Plan[e]t.
The views and opinions expressed in this podcast represent those of the speaker, and do not necessarily represent the views and opinions of their employers.
Hack the Plant is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: I’m Bryson Bort, and this is Hack the Plant, season 5, brought to you by ICS Village and the Institute for Security and Technology. Electricity. Healthcare. The food we eat. Our water supply. We take these critical infrastructure systems for granted, but they're all becoming increasingly dependent on computers to function.
In Season 5, it’s more important than ever to ensure that our essential services are resilient to disruptions. This season, we’ll bring you insights on four of our most vital lifeline sectors - electricity, healthcare, food, and water. We know that our interconnectivity makes us vulnerable to our enemies – but what can we do about it?
We walk you through the world of hackers working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day. From the threat posed by Volt Typhoon to the aftershocks of the Change Healthcare data breach, it is clear: the time for action is now.
In my day job, I'm the CEO and founder of Scythe, a start-up building a next-generation threat emulation platform, and GRIMM, a cybersecurity consultancy and co-founder with Tom Van Norman of ICS Village, a non-profit advancing awareness of industrial control system security.
I'm also an adjunct Senior Advisor at the Institute for Security and Technology, a 501c3 Think Tank dedicated to tackling technology-driven emerging security threats.
Subscribe wherever you find podcasts to get each episode when it drops.
Check out our policy conference 12-13 JUNE 2025, Critical Effect DC, our 8th annual infrastructure-focused conference connecting policymakers, members of civil society and academia, and OT/ICS stakeholders; it is the evolution of our Hack the Capitol conference, so if we saw you last year, we hope to see you tomorrow!
On today’s Hack the Plant, I’m joined by Jim Montgomery, Director of Industrial Cybersecurity Solutions at TXOne Networks. TXOne works together with both leading manufacturers and critical infrastructure operators to develop practical, operations-friendly approaches to cyber defense. With decades of IT security experience, Jim now focuses on protecting Operational Technology environments across critical sectors like automotive, oil and gas, pharma, manufacturing, and semiconductor.
But those types of things and implantation of the time bombs, time bomb malware in specific critical infrastructure is the thing that scares me the most. Because we already know they're in the systems. We already know that they have had access, and are moving through the systems.
I mean, you can quote event after event of monitoring this happening. And that's the biggest threat, and the biggest fear is really, if these are timed events, at what point in time are they gonna be used? Are they gonna be used based upon a geopolitical event? Is it just a time that's going to happen on a specific year?
How can we defend against threats that are already embedded within our systems? What are the most immediate and significant risks facing our critical infrastructure today? And if he could wave a magic, non-internet-connected wand, what is one thing he would change?
Join us for this and more on this episode of Hack the Plant.
Jim Montgomery: I actually started off in retail grocery, if you can believe it. Bagging groceries. So did that, worked my way through that, up to the store director and then actually started a company with 10 other gentlemen selling products to the stores.
In the midst of starting that company, we ran into an issue, in that nobody knew IT. They couldn't set up email, couldn't set up servers, had no file shares. So basically I went to school, got my MCSE, became the unofficial director of everything that plugs in. That's how I started my IT career.
Fast forward 30 years to where I'm at now, went through support with Trend Micro, spent about 14 years with Trend Micro doing everything from support, professional services, implementation services, all the way through managing the team SEs. So pre-sales operations, and then moved over to this realm, the realm of OT. Which was new for me about five years ago. Hadn't really focused on it, hadn't really given a lot of thought. My focus on cybersecurity was really more on the IT side of the workstation, the eyes on glass, hands on keys. And honestly didn't really give a lot of thought about OT. Was introduced to TXOne through some of the companies that we worked with previously.
I'll name drop a little bit: semiconductor manufacturer in Taiwan. I won't name drop. I'll just tell you who they are. Basically started the process of, started the genesis of our current company in developing solutions for OT environments specifically. So that's how I kind of got involved as those processes and those products were developed.
I came over to the TXOne side. And started learning. There's a lot to learn moving from IT to OT. And I know there's a little bit of a separation still, philosophically and in practice between IT and OT. I think that's getting solved. That can be actually another subject that we talk about.
That's part of that process, right? Is that learning process, picking up the nomenclature, the acronyms, the specific requirements for each of the verticals. It's all very different, when you try and lump OT together in a group. While there's commonalities, it doesn't all lump together because they're all very, discreet, very different operationally, as well as requirements trying to implement solutions into those different environments.
So now I'm into the verticalization, specializing in five different verticals. Automotive, oil and gas, pharma, manufacturing, semiconductor, and developing solutions and solution content, primarily, for those industries. And trying to help those industries move forward with their baseline security practices.
Bryson Bort: If you were to summarize the challenges, recognizing that each vertical might have some unique qualifications, how would you, across what you're doing for what you're solutioning?
Jim Montgomery: Legacy.
Bryson Bort: Legacy?
Jim Montgomery: I would summarize it.
Bryson Bort: Tim, you walked right into my favorite joke. How do I know a computer's, an industrial control system?
Jim Montgomery: It's legacy. Yeah.
Bryson Bort: It's at least 20 years old.
Jim Montgomery: Well, I talked a little bit about the common threads, and that's working in the different verticals, working semiconductors specifically. It really opens your eyes to, your point, the age of the equipment, but the functionality of the equipment. The equipment's designed to function for 20 years, so why can't we support it for that long?
It's one of my biggest questions and, next question is, well, if the manufacturer of the equipment, if the software writers of the operating systems aren't gonna support it, how do we protect it? How do we enable protection in those types of environments? And that's really where those specific differences come in.
You're talking fab, sub fab, and semiconductor when you're talking manufacturing processes, and general smart manufacturing or normal manufacturing, automotive. When you're talking about power distribution or critical infrastructure, the solution and how you implement it, and the regulations that you need to comply with are different in every vertical, and that's the biggest challenge.
It's not solving legacy. We can solve legacy pretty easy, right? Here's the protection capabilities that will help you solve a legacy problem. But it's the implementation side where it gets really complicated and what's allowed, what's not allowed.
Bryson Bort: Okay, so that leads us to NIST CSF, and 62443, which everybody has been talking about for a couple of years now. So what's the latest that's going on there and how is that driving what you're doing?
Jim Montgomery: When you look across the board, when you look at, I wanna say regulation, they're not necessarily the regulation, they're guidance. So when you look at these types of guidance papers, even the federal guidance papers, there's some very specific ask upfront. And really the ask upfront is targeting more of a phased environment approach. Right? So, and this is probably again another topic, but when we talk about phased approaches and how you implement security and to what level you implement security, is really what we're trying to achieve through NIST and through 62443. There's a lot of content there.
One of the things I worked on over the last almost year and a half now, with semi.org in the SMCC, Semiconductor Manufacturing Cybersecurity Consortium. Now you know why we call it SMCC. Is the ability to create a community profile for a NIST CSF or semiconductor. Again, before joining Semi, I wasn't even aware that you could do community profiles with NIST CSF, but it's been a really interesting experience going through and looking at the NIST templates, creating NIST templates specifically for semiconductor.
And this is all the newer version, NIST 2.0. So that's one of the big accomplishments that we've managed to produce over the last year, year and a half in semi, and that's actually a public review right now. So it's getting really specific on the NIST guidance and how you actually implement, and the rationale for implementing into semiconductor.
What is the guidance and what is the rationale for doing it? And actually some basic guidance on how to do it. So getting very practical in the approach to protecting specific environments.
Bryson Bort: What are the changes that happen there? What are we doing now?
Jim Montgomery: It’s written specifically for semiconductor. It actually targets semiconductor operations. So when you look at the guidance, the terminology has changed, where it applies to fab or it applies to sub fab, where it applies to IT environments. The rationale changes based upon the vertical. And there's a number of different verticals defined in the community profiles, but it's really just about the specificity of each one of those verticals and how you'll actually implement the protection capabilities in those verticals, that we're trying to overcome with the community profiles.
Bryson Bort: So why did we need NIST CSF to put something out specific for fabs? When we had 62443 that has been providing guidance on not only the cybersecurity of manufacturing operations, product security itself, and the IEC has been working on turning that from guidelines into an actual framework to measure your cybersecurity of those manufacturing operations.
Jim Montgomery: I think simplicity is the biggest reason and adoption. So when you look at adoption, I'm gonna quote some numbers here that would qualify with saying that 70% of all statistics are made up on the spot. So generally, in general terms, 62443 has about 37% adoption rate across a surveyed base, if you will.
And NIST CSF has almost 50%. So they're very close in use. But I think the NIST CSF framework approaches it a bit differently in a more simplistic fashion. And it's easier to implement. We supply criticality tables that help you identify where you should start, what that phased approach looks like. And again, 62443 does a lot of this too, but we provide that rationale again, specifically for semiconductor, but in a more segmented and simplified version.
I think there's 162 controls in NIST CSF, where 62443 has many more. And honestly, CSF is free, where you have to pay for NIST.
Bryson Bort: Fair enough. Free is always the best price.
Jim Montgomery: And I think that's part of adoption too, because when you think of OT environments in general, you think of the big guys, right? You think of the big players, the large manufacturers, the large semiconductor manufacturers.
There's a ton of small, I don't wanna say niche, but smaller players, maybe they don't have a SOC. Maybe it's part-time IT staff, and they're trying to implement cybersecurity across their environment where they have regulations or guidance pushed on them. They don't always have the resources or the knowledge to implement some of this stuff. So that's why I think the simplistic approach, and the free approach, appeals to a higher base simply because it's easier and it's free.
Bryson Bort: Yeah, I think that really is the crux of the problem that we see in the industry writ large. Wendy Nather phrased this really well when she talked about the cybersecurity poverty line. The haves and the have nots. And we have very few haves, and yet most of the conversation and most of the resources are funneled to the haves.
Because they actually have the resources to do something with it. And the 99.9% of all of the rest of the organizations and businesses are there working on a shoestring budget. And the challenge that they have, and I think this is just – it hits in OT, it hits in IT, and it's really, I think, a warning shot to our own industry of practitioners, which is, it's not that these folks don't get it. Right?
That is one of the silver linings of ransomware is everybody gets it now. Not only do they fundamentally get ransomware because it's so ubiquitous, but they get the concept, they get the risk. Which means it's not that I'm against cybersecurity, it's not that I, as an executive, I'm against the investment of it. It's just there's so much noise. And I don't know what to do and I don't have the resources to spend turning the wheels on what might be a good idea, versus prioritizing what really I need to do for my business. And that's where I'm overwhelmed and I'm looking for the simple answer to just say, start here. So what do you tell folks in that situation?
Jim Montgomery: I tell 'em exactly the same thing. That's one of my focuses when I try to deliver solutions, or even when I'm doing writing for articles, publications, what have you, LinkedIn doesn't matter. I try and keep it very middle of the road, so that I'm offering practical guidance to implementation, and not the high level read this 400 page document and figure it out on your own kind of guidance. I go back to, I mentioned the phased approach before. There is a specific approach to implementing security capabilities. When you're talking about OT and really when you look at how you approach it. I'm gonna get a little old school here.
You don't eat the whole elephant at dinner, right? It's pieces, it's prioritization. It's when I talk to people and they ask me, well, where do I start? Well, you start with understanding your environment first. What do you have? What do you need to protect? This piece of equipment goes down. What happens to your environment? Is that the most critical piece of equipment in your environment? And then let's start prioritizing your environment of how you actually approach your baseline security strategy. But from that documentation and that visibility standpoint, then you get into some of the basics.
And again, it's basic. You don't need a platform or a program to do a lot of the hygiene. Turning off unnecessary services, closing ports. Monitoring your protocols across the network. Basic system hygiene is always the next step – once you understand your environment is locking down the environment the best you can without the investment, right? So these are things anybody can do. Not anybody granted, but any IT professional can help you get through this part of the process.
And this is probably the most important part of the process because it's understanding your environment, it's understanding what your challenges are. Understanding what's important in your environment, and then formalizing an approach to how you're actually gonna protect your environment. So the steps when you look at it overall, oh, I have a thousand different systems in my manufacturing environment that I didn't need to protect.
Well, yeah, in the global scheme of things you do or you should, but let's start with the basics. Let's start with understanding. Let's start with making it hard to get into your environment and let's start discouraging that type of behavior from attacking your environment. And that's a place to start, right?
It's not gonna be perfect upfront. It's not gonna be perfect overnight. And even if you do decide to deploy or implement a large security strategy, it's gonna take some time and resources. Again, that phased approach that I talk about all the time, those are the first few steps. Once you get past the understanding your environment. Once you get past the free stuff. And then it's time to start looking at additional capabilities, whether it's using VLANs to start segmenting, whether it's using a hardware appliance to start segmenting, looking at legacy devices and saying, okay, well you know what? These aren't patched. These are my most vulnerable asset, so maybe I start here. Again it's about that understanding, and then the prioritization as you move through that building of a security mentality in the environment and implementing those security programs
Bryson Bort: And the reason that we're here is because we exist in a world where military and intelligence organizations from certain countries are doing something negative about all of this stuff.
So let's get into the geopolitics, which is why cybersecurity is so interesting. We wake up each day and we have to fight off another country and our private organizations, which seems like nobody else has to do that except for us, every single day. So what are the geopolitics? Why is that so unique to the situation with semiconductors? Which is a softball 'cause I think everyone knows that one. And where's this all going?
Jim Montgomery: Without getting into politics, we'll get into geopolitics. When you look at behavior over the internet global network, you'll notice a direct correlation between geopolitical conflicts and malware activity or compromise activity, if you will. Could be vulnerability compromised, could be nation state attacks, could be anything. But you'll see a significant volume increase.
I'll cite China. They're not the only ones. They are the ones that typically we talk about, and typically we see. There's a number of nation states out there attacking. Just looking at China you can look at the specific groups within China, and when you see these individual incidents happening in geopolitical conflicts, a good example is I think Hillary Clinton went to Taiwan. Significant uptick from China in attacks against Taiwan and the U.S.
So we see this correlation between world events and uptick in malware or bad guy type of behavior. And that's the direct correlation, right? It's a tool, it's a weapon. It's the ability to not only extract money through ransomware, but also to do damage to environments. When you look at NotPetya and the Ukraine, that was the supply chain attack. But basically that supply chain attack, while it did infect Ukraine and take down their power grid, it actually went global.
So it went all over the world, simply because of the lateral movement and how the malware was designed. So some of these attacks not only have direct correlation to world events, but they have spillover to other countries, to other nation states, to other critical infrastructures. I was just reading an article last week about implanted malware found on specific devices manufactured in a specific country. Well, not surprising, right, because they're manufacturing and they can put whatever they want on there, and it's up to us to find it when we buy it.
Bryson Bort: Can you be more specific or are you being vague on purpose?
Jim Montgomery: I'm being vague on purpose.
Bryson Bort: Okay.
Jim Montgomery: But those types of things and implantation of the time bombs, time bomb malware in specific critical infrastructure is the thing that scares me the most. Because we already know they're in the systems. We already know that they have had access, and are moving through the systems.
I mean, you can quote event after event of monitoring this happening. And that's the biggest threat, and the biggest fear is really, if these are timed events, at what point in time are they gonna be used? Are they gonna be used based upon a geopolitical event? Is it just a time that's going to happen on a specific year?
To me, that's the scariest part of it. And that's also the scariest part when you talk about protecting your critical infrastructure. Because if you're not protecting – and I classify critical infrastructure pretty generally. I mean to me semiconductor manufacturing, automotive, oil and gas, electricity decision, they're all critical infrastructure to me, because if we lose one of those capabilities, things start to go sideways pretty quick. And there's a lot of studies being done on, if you lose electricity for three days, you start turning violent against your neighbors. It's silly stuff, all conspiracy theory stuff. But once you get into those types of spillover attacks and those types of spillover events, you don't know what the impact's gonna be. And that's the challenge for us, is number one, prevent it in the first place, or at least discouraging that type of activity in the first place by limiting connectivity, limiting exposure, limiting surface area of attack. But also getting in and understanding what's happening in the environment and protecting that environment from lateral movement, from the damage that could potentially happen if something is already there.
Bryson Bort: You talked about writing articles about this. I mean, was there any more detail on how you see this playing out over the next – some people are predicting two years. Some people are predicting five to ten years.
Jim Montgomery: That's part of the conspiracy theory thing that I alluded to and it's not tangible.
Bryson Bort: What do you mean it's not tangible?
Jim Montgomery: When I say tangible, I mean it's not set in stone. Even though China said that we're gonna take over Taiwan in 2026 or 2027. One of the two, I think it's 2026, I think it's next year. Even though China said that. Is that really gonna happen? Do we believe that China's going to physically invade Taiwan? I don't know. It depends on your point of view, and it depends on the theories that you subscribe to. I think it's possible. Sure. What's going to happen to the semiconductor industry if TSMC is suddenly a Chinese company? I don't know.
Those are the leverage points that you look at when you look at geopolitical conflicts – yes, it's personalities, yes, it's egos. But it's also about leverage. So if I can take over one of the top manufacturer of the top fab in semiconductor, what's the control I could have over the U.S.’ military? What's the control I could have over the chip manufacturing for specific defense types of installations or defense types of packaging?
I mean, you could go down a lot of rabbit holes with that, and that's again, the non-tangible part. It's like number one, what is the incentive and what's the intention? Because you don't always know if the intention is destruction. Is the intention just stealing of intellectual property? Is the intention to take over the world? I don't know.
Bryson Bort: So from your perspective, your advice to clients is, this is not a foregone conclusion and it's a scenario that if it happened, we would have to deal with it afterward.
Jim Montgomery: I hate the term it's not if, but when? But it's a true statement. You see it all the time. You see companies getting compromised all the time. And compromise to me is not necessarily damage or theft. That's just, hey, somebody got in your system. We don't know what they did. We don't know what they saw. We don't know what they stole. We can't document it. That's compromise. We've lost data. If we've installed ransomware, that's a different scenario. But the awareness, I think is really what we're alluding to here, and the awareness of not only the world events, but the awareness of just the broad nature and the broad attack base of malware and how it's propagated. Every week, every day, you hear of another compromise somebody else getting compromised, whether it's healthcare. It could be anybody, it could be manufacturing. Those are the things that, another marketing term, keep you up at night.
But those really do kind of keep you up at night thinking about, again, the spillover from an attack like that, that could happen. Something that affects our healthcare system. Well, it doesn't just affect our healthcare system. Now you're talking about possibly endangering lives, possibly endangering environmental control, types of infrastructure, things that matter, and things that could hurt people. So it's dramatic. Yes, but it's not a stretch. I mean, it happens all the time.
Bryson Bort: We're moving from the geopolitical part of supply chain to just the risks of supply chain. So you've done some work on supply chain validation?
Jim Montgomery: Yeah. Also with semi.org and the SMCC, one of the goals we wanted to achieve was targeting or developing supply chain validation criteria that can be used across semiconductor. Kind of a TISAX approach if you will. If you guys know TISAX, it's automotive industry standards in Europe. It's generalized so that it can be used and shared across entities within Europe. So that was the basis of the approach. We wanted something that any chip manufacturer, any fab, really any supplier to any of these fabs can evaluate their supply chains in a standardized fashion, if you will.
So that if I give this supply chain questionnaire to my 10 suppliers, they can then just share that same result of the supply chain validation with other specific vendors that they may do business with. So it's an attempt at standardization for validation of not only operationally, but just, hey, is the equipment malware free?
Are you giving us stuff with current operating systems? Have you scanned it? Are there vulnerabilities on it? So it's those types of approaches and those types of maturity levels that we're trying to manage. Yes, it's about awareness. Everyone's aware that there's malware out there and there are malware issues out there. But it's about the purchasing or device manufacturers, if you will, asking for their vendors to also do the same validation process when they're taking equipment in and it'll help clean up the supply chain because once you start at the source, it's gonna take a while to flow through. But that's the intention, that long-term flow through and understanding the nature of the devices that we're providing, and then providing security structure around those devices and validation around those devices.
Bryson Bort: So I'm a small fab. I have not been doing that level of validation. I'm probably like the classic manufacturing environment where my automation and control engineers have been handling remote access and the physical access and maintenance and upgrades for the third parties that build and maintain these devices inside my plant. Where do I start? How do I start to do that?
Jim Montgomery: Start with, again, that validation process. So in the vendor criteria, if you will, the survey that we've created, it basically runs down levels of maturity based on the CMMI model. CMMI has four levels of maturity, if you will. One being, yeah, I'm not really doing anything, my security's kinda ad hoc. All the way to the fourth level being, yes we are constantly learning and evolving from our security events. We're implementing these protection strategies.
So it gives you a way to progress through that transition. So if you look at the build of the survey itself, it builds on the critical aspects of what's required to meet the different levels of maturity, if you will, and helps you get to a starting point. It's like, well, I can't do these five things, but I can do these two things. So it gives you a point to start, and that's really going back to that basic guidance and that phased approach that's really about just giving practical guidance to operators, to suppliers, where they can start and how they can actually develop their security program without having to invest the entire operating budget of the entity into that security program.
Bryson Bort: Before we go into the lightning round, is there anything else you wanna cover from your side?
Jim Montgomery: The only other things I would mention, they didn't used to be. There's a lot of development specific to ICS and OT types of environments, with respect to security.
The big players are out there, the big firewall guys are out there delivering network type of inspection all the way down into the most everybody should be familiar with the Purdue model. Basically, it's just that, common structure, that common language structure to know where different systems lie within the OT environment. And they're getting down into the lower levels of that Purdue model where not quite to control, but we're into the HMI, the SCADA environments and having the ability to create segmentation and security strategies at that lower level. And that's kind of where TXOne plays also.
We deliver on the protection capabilities. And again, down at the lower levels is really where we're trying to implement these types of protections. Changes to PLCs, which can be harmful, changes to HMIs or even ransomware on HMIs has been a, an example that's basically shut down factories, shut down systems.
So a lot of these capabilities exist now. We didn't talk a lot about legacy, but these protections really need to go back to legacy. And again, that's where we focus our protection capabilities, is on the full spectrum of protection strategies when you get into some of these manufacturing environments, 'cause as we talked before, legacy's prevalent in any manufacturing environment. Whether it's critical infrastructure, it doesn't matter what the vertical is, everybody's got legacy and that's the one problem we're all trying to solve.
Bryson Bort: Yeah. One of my intro talks to industrial control systems is titled, Why Is It Running Windows XP? I built it for the IT folks 'cause they'll be the first to like, wait a second, what?
Jim Montgomery: I'll even go back further than that. It's common, albeit a little scary to see NT, NT3, NT5. It's out there still and it's still running.
It's still making widgets or whatever it's doing so, it's not broke.
Bryson Bort: If you could wave a magic, air-gapped wand, what is one thing you would change?
Jim Montgomery: Remote access. A little story around that.
We've done plant walks, post-COVID. And I understand the reasoning why we did it during COVID. We couldn't access the locations, we couldn't get physical access into these environments. We'll see wireless dongles hanging outta panels. You'll see unverified. It's like, what's this? I have no idea. I've never seen it before in my life. Well, what's this wireless VPN doing underneath your desk? I don't know. It was just there when I got hired.
Those types of issues are still out there, and that's the biggest thing is secure your remote access.
Bryson Bort: So your magic wand, you would instantly solve the problem, remote access, which would reduce the surface area and third party activities inside of our own perimeter.
Jim Montgomery: Yes.
Bryson Bort: So you've waved your magic, air-gapped wand. Now looking into your crystal ball, which looks suspiciously like an HMI. What is one good and one bad thing you think will happen in the future?
Jim Montgomery: The good thing is systems will eventually get upgraded when they break. The bad thing is systems will be attacked until then.
Bryson Bort: So hacks will continue to happen, and this is a hard problem.
Jim Montgomery: It's a hard problem. It's a hard problem for everybody because there's not only the will it run XP question to ask, is my hardware compatible? Are my software programs compatible? You get into the financial questions. What's my ROI on this system? What's it gonna cost me to replace this system? What's it gonna cost me to replace this lithography machine that costs millions of dollars because I'm running on XP? It's not broken, it's still working. Why do I need to replace it?
There's definitely a financial consideration to this discussion also, which we didn't talk a lot about, but it's absolutely out there.
Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they're released. Thanks for listening.