Transcript
and productivity and the complex world of risk and compliance. As manufacturers face increasing pressure to modernize, they aren't just battling the risk of downtime, they're navigating a shifting landscape of federal mandates and sophisticated cyber threats. To help us understand the view from Washington and what it takes to build a truly resilient plant floor, I'm joined by Chris from CDW. Chris, thanks for joining us to share your perspective on how leadership can bridge the gap between high-level strategy and technical reality. Thank you for having me, Richard. You bet. So let's get right into it. Let's talk about the view from Washington. So can you lay the foundation here about what manufacturing is seeing as far as a shift in oversight, and what are the most significant regulatory drivers causing that shift? Oh yeah, it's really huge right now, and great question, Richard. I mean, manufacturing is seeing a huge oversight, you know, from best practices, posture to a contract requirements mandate, and nothing more evident in that is the CMMC. And basically, that's the clearest signal that that's become law now, that if you touch any type of defense work, or if you're doing any type of work with government contractors, that this is now a mandate that has to be complied with. Okay, very good. Now, when we're moving in this regulatory space, there are going to be investments, there are going to be some measurements. We talk about resilience in some regard, but before we, you know, get into, you know, those other types of KPIs, let's focus on the resilience and the ROI conversation. So we'd mentioned that, you know, we shouldn't just look at one or the other. So, you know, we can't purely focus on ROI. And more importantly, maybe operational resilience is the best thing to look, to focus on from a manufacturing standpoint. So could you kind of compare, contrast, and then even look at this kind of from a, you know, through a quantitative lens as well? Yeah, definitely, definitely. Yeah, because, you know, in the mindset of security, it's very myopic. You know, is it physical security? Is it cybersecurity, information security, operational security? You know, what type of security is it? I think the days of being siloed in security is long gone. I really hope that, especially since north of 75% of organizations that are private actually run and operate our critical infrastructure. So what that means is our critical infrastructure, our way of life is actually owned and operated by private entities. So these private entities are businesses that are just like anyone else trying to get their return on investment when they deploy any type of technology or human resources or infrastructure that would enhance the security of something. So really that term is rolled back because as soon as you think of, you know, security, you're thinking, okay, well, what kind of physical security? I have a cost measurement for that. Is it cybersecurity? You know, I know exactly how much my tech stack is going to cost, you know, but how much is that going to play into the operational technology space, which real things get very, very challenging. And that's why we like to use the word operational resilience, because what are you really building out in the infrastructure is to be able to not only survive an attack, but be able to manage it and move on. So I was an asset owner during COVID in the manufacturing space, and I had 82 plants globally. So one of the things that we had to do is we were supplying ventilator systems and filters and things like that, and to turn and burn and maintain those manufacturing lines and keep those lines up and running while they're under constant attack. One of our plans, we had to logically, you know, basically logically burn, if you will, air quote, to the ground so it wouldn't head over to the logistics centers and even stop that automation process. So you need to actually establish a north star and start building out resilience in the organization, because once you have that resilience, you can start to ask, you know, okay, how can we detect disruption? What does disruption look like? In the meantime of doing that, you know, you can start dusting off your incident response plans, you know, if something did occur, because it doesn't just take a cybersecurity attack. It could take a physical attack. It could take nefarious internal actors, you know, that could be causing issues there, or it could be a world event. We're seeing a lot of this over play over the last six, eight years, that world events have drastically affected the manufacturing. Yeah. And one thing, if I could throw in, you mentioned incident response, so you have these other, you know, services and other things to employ, but, you know, multifaceted tabletop exercises as well, right? Because you, the interaction of operations, sometimes, you know, we're so focused on our day-to-day job, we didn't realize that we're relying upon all these other systems as well. So great advice there. That's true. Yeah. Now, shifting gears just a little bit, but like one of the byproducts of this new, you know, rise of OT risk, usually going over to like the CISO or the C-suite, and then the IT teams are getting involved. Then the IT teams are asking, what's OT? And then you've got the whole, you know, you've got the arms folded, you know, plant manager of like, I got to keep the line running or the water flowing. So one of the things that I'd like your insight on is this rise of the OT CISO or the kind of virtual CISO. So what we've seen is that boards are recognizing this gap, but yet need the executive kind of responsibility. So this OT virtual CISO, like how does this help? How does this role help bridge the gap between the plant floor managers and then the executive suite? And I will say, I did not dub that term OT VC. So I'm not sure who's going to dub that or own that one, but you know what? It's, it really speaks magnitudes when you actually have a person that can pivot and speak, not only to the engineering and all the different business units across manufacturing, which obviously the manufacturing plant floor, and then that's rolling all the way up into and then that's rolling all the way up into MES, your ERP, the business units. And then also across the logistics centers, you know, I had fully automated plants, you know, pick pack ship stores, you know, you know, things have to be done systematically. Otherwise you have cascading failures. So this OT VC CISO, a lot of what I encountered in being blessed to be in this space north of 35 years, which is a nice way of saying I'm old, is being the crossing guard, being the marriage counselor, either between the engineers and IT and information security, as well as the business owners of every different aspect of that business and the plant managers, because every focus will be different. So the OT GRC term started coming into light. I started seeing that and maybe someone can fact check me. I'm sure they've seen it before COVID, but during that era, I'll just say that era for lack of better time period, but started seeing folks like myself grab a GRC governance risk management and compliance person run along the control engineers and write policy stacks on what's being deployed. Is it a rack and stack? Great. What are the as built? Because yeah, we'll have the OEM documentation. So let's run with that. So that's kind of the grassroots effort there. The OT GRC person actually rolled into a VC. So because the GRC person was only laterally speaking across the units and that message wasn't getting up to the higher levels in the organization for better response times and decision making and resource allocation. So the VC role, it could be an OT advisory officer, executive, or just an OT bucket of hours. I've seen a lot of folks are calling it OT VC. So, but what that does is that is allows a person that has the aptitude and respect and understanding what it's like to be out on the shop floor that doesn't have to be tied to someone's hip for safety and hazard reasons. One, right? Know the environment that you're in. Okay. It's all about security and resilience. So really it's being able to understand the risk environment, document the technology, document the humans that are involved in the process, where there's co-bots and stuff, and then where robot and automations take place and roll that policy stack up and then convey that with a unified view of risk and enumeration environment. And can we automate that? So that way you're actually speaking in those proper vernacular terms, right? To the C-suite board level, but also speaking in engineering terms and cybersecurity. So that's where that rules really come from. Yeah, no doubt. And I would massively upgrade your reference to crossing guard to something like cybersecurity and operations air traffic control. Yeah, I like that. Too much doesn't fit on the business card. But so just as you described that unique role, part of that is that CISO piece, right? So what is the security policy? And again, you're probably creating security policy for the first time in the operational space. And again, you may have, you've got old networks, you got old equipment that is running reliably, not ready for the internet. And all of a sudden you're connecting everything and then you're trying to standardize. And oh, by the way, you've got a bunch of M&A activity that went on. So you've got to somehow rapidly do all that. So what I'm getting towards is the security policy and then leaning on standards. So there are frameworks and other standards such as NIST, Purdue model, and then IEC 62443. And there's a wide spectrum of just looking at the manuals and how they stack up, how thick they are. But some can be suggestive and some are very prescriptive. How do these global standards help a plant or a manufacturer move past what is, yep, we got security to an actual robust security policy that at the end of the day is reducing OT cyber risk, but also increasing operational resilience? Well, there's a lot of frameworks that used to be only used in certain parts of the world, I'll say. So in North America, it just seemed like NIST, National Institute of Standards and Technologies, commodities had to have a NIST traceable standard and I cut my teeth in OT industrial control systems and oil and gas. So NIST has been the de facto North America. International standard, you mentioned IEC 62443, that is really great in segmentation and conduits and building out enclaves and really the global standard. It is a heavy lift, but once you're able to do the IEC 62443, it is very practical for building out zones, conduits, and then adhering and getting actually further along in your security journey because you're not just checking boxes when you're doing a full roll out of IEC 62443. Now, if you're a NIST shop, it's okay because NIST actually does crosswalk over to IEC 62443 and the specific NIST control I'm speaking of is NIST 800-82, REV3, and I believe REV4 is out for comments. So I would really encourage if that window hasn't closed for manufacturers, owners, asset owners, consultants, get out there and put in some information because it will align to the NIST cybersecurity framework and we have seen a lot of manufacturers want the NIST cybersecurity framework lens to provide that maturity and unified view of risk across the board. So you could rule up if you're using IEC 62443 as a control framework, then you can actually rule that up to NIST CSF. Now, let's talk about the Purdue model. And I went to Purdue, so I'll just say that. No bias. No, not biased at all. I would say in my bubble, we've always used the Purdue model as a socialization as we sit around the back end of a truck while we're building a new plant or if we're inside a boardroom with whiteboards and stuff because I'm a whiteboard junkie. I have to whiteboard everything out when we start building these things, rack and stack, and let's build it out. So understanding what type of environments you have, IEC may not be that much of a lift for you if it's a small manufacturing or if you have completely green field, it's great to start there. But at this point, you are able to use the Purdue model. They have the second version out. It's a great reference model. It helps you understand where things are at in the environment. You can put it over onto a conference table and walk it through with your different control engineers, electrical engineers, software engineers, your logistics guys, your IT folks, your net set guys, your info set guys. And then that way, that paints a picture where you can start saying, okay, this is what we have. Let's work on building this out to get further along in our security journey. So those are great frameworks for manufacturing right away. I ask clients all the time, are you guys in this or IEC shop? Obviously, the global footprints, you'll see more IEC frameworks than you would NIST. North American shops, you'll see 882, sometimes 853 back in the day. But that may be because they're adhering to a stricter compliance. Think of medical devices and things like that. They have to adhere to a higher compliance standard, which a lot of times they may be aligning to 62443. Okay. Okay. That sounds like we're almost at the graduate and then going into the PhD level of network architecture. I'm sure you can share and probably have been there. And then from my own standpoint, there are a lot more basic needs, as I call it, the left-leaning bell curve of OT cybersecurity maturity. So if we dial it back to the first steps, for those folks that are just getting in and maybe knowledgeable of these robust frameworks, let's talk about how to get started or where their first priorities should be. And here we've got some of the basics. We haven't really mentioned visibility, but segmentation, they're hand in hand with first steps. But then you mentioned incident response as another thing that needs to be done. How can you help the audience here as far as a prioritization? Is it 1, 2, 3, or is it 1A, 1B, 1C? How would you help set that out for folks that are, again, just getting started and moving out of that left-leaning bell curve of maturity? Sure. If they're just getting started right away, enumerate the environment. You can't protect what you don't know is out there. And what that would be and consist of is the hardware brand, the firmware version, what's burned on it, the software, what it's run with, and then your config files. I'm thinking PLCs right off the bat, the human-machine interfaces, engineering workstations, and then everything downstream of your PLCs. So all your RTUs, sensors, instrumentation and control devices, variable frequency drives. I'm thinking everything downstream from there. So let me stop right there. But what you need to do is once you enumerate your environment, then you can level set what the risk would be to each and every one of those devices. And then you can actually do the research to see when you connect it to different devices and then upstream what risk will become to your east-west controls and environment. So the first thing you do is enumerate the environment. See what you actually have out there. So get that visibility in place. Get an asset inventory in place. With that asset inventory, make sure that you assign who's the stakeholder, the asset owner to that, who's responsible for not just that part, but the whole complete system, whether it's the plant or if it's just the product line or production line. That's definitely the first place to start. Okay. And from that... And you keep going. Yeah, I know. And I do, actually, I'd like you to continue and maybe that other step about segmentation, because the segmentation you mentioned, whether it be the Purdue model, which is a very high-level architectural reference, or you mentioned zones and conduits in the IEC 62443. So with the visibility established or being established, talk a little bit about the segmentation piece of it as well. Yeah, I'll start with segmentation. But realize that's a time-constrained level of effort, and you'll be attacked before you do that. So if we take a plant and you have to go and rerun wires on a hole-through plant, the cost of doing that right away is a little further downstream than dusting off your incident response books and enumerating the environment. So doing a table, once you dust off your incident response plans or business continuity plans, actually run a tabletop exercise to see who the actual stakeholders are, because shaking that dust off the incident response and getting the visibility into your system is the first thing to do. Then you can start working on segmentation, whether that's a virtual type of segmentation or rip and replaces, which, of course, would be a higher level of effort. But that's the next part that you would go. The ultimate goal there is actually build out enclaves. So each enclave for a production line would have safe restart zones in it. So if you do lose one downstream system from, if you're using a distributed process network or DCS or PCN or SCADA, depending on where you use them, but to keep one line up and running, you may want to build enclaves in that set. So you can have safe restart zones, and that will keep the whole plant from being shut down. So you can actually look in there and see where the breach may occur, or if it was an incident, because chances are it may just be a timing issue or a problem with a zebra printer or something at the end of the line that may cause that problem. So definitely start with those items first, because it's the low-hanging fruit, most cost-effective way to protect yourself in building out resilience along your security journey. Then tackle the conduits and building out enclaves. And the conduits and enclave parts will tie back to the CMMC compliance law for doing work with the military, with the U.S. military. Chris, this has been incredibly insightful, and it's a real powerful reminder about in the manufacturing world that it isn't just a technical hurdle, but it's really the foundation of business continuity and resilience. And then it goes to our national defense as the backbone of our manufacturing. So it's obvious that whether it's securing the supply chain or what we're doing as an independent manufacturer, that keeping production line running is of the utmost importance, and the stakes right now just couldn't be any higher. So thank you again so much for sharing your expertise with us today. Thank you, sir. I really appreciate it. You betcha. For more insights on navigating risk and compliance in the OT space, please visit us at fortinet.com backslash OT. Stay tuned for more conversations in our manufacturing series.
