Tell us a little bit about yourself, and your background…
Chandra Brown is the CEO of MxD, the nation’s digital manufacturing institute. Chandra oversees all technology investment, partner relationships and project execution for the institute’s more than $90 million dollar portfolio of advanced manufacturing technology, cybersecurity, and workforce development research, development, and demonstration. Prior to MxD, Chandra worked both in the manufacturing industry, including as the CEO of United Streetcar, and in the public sector as the Deputy Assistant Secretary for Manufacturing at the U.S. Department of Commerce.
Akin Akinbosoye is the Director of Cybersecurity at MxD. Akin brings two decades of experience to this role across healthcare, services and financial services in operations, risk management, and cybersecurity. Most recently, he served as the Business Information Security Officer at Allstate, with responsibility for cybersecurity across Allstate financial businesses.
Q1: Cyber security now – what are manufacturers telling us? What are they struggling the most with?
Manufacturers say they are confused and worried. With so much in the news, and tools and technical jargons to content with, manufacturers, especially smaller operators are perplexed. They do not understand what to prioritize first. They do not know where to start on the journey to better security, what is needed (tools and services for the job) and how to adequately fund cybersecurity (right-sizing cybersecurity expenditure). They lack visibility into their supply chains and the vulnerabilities and risks from therein. Other sources of concern for manufacturers, include protection of intellectual property (IP).; Properly protecting OT environment and communicate between the OT and IT.; and concerns about access to people with the required skills in cybersecurity to help secure and sustain their operations.
Manufacturers large and small face similar cybersecurity challenges, but the scale and capacity to handle them are key differentiators. The methods and tools for malicious attacks are the same. Intruders are probing and attempting to access manufacturers’ networks with the objective of stealing intellectual property and other assets for competitive edge.
These attacks are perpetrated by individuals, sometimes with the backing of Nation-States. The involvement of Nation-States introduces persistence and sophisticated tools that may not otherwise be available to private actors.
Manufacturers are struggling with traditional information technology threats like phishing, ransomware and denial of service attacks, but more concerned about the physical impact of a cyberattack. The implications of cyberattack in manufacturing could be different and more far-reaching and may be devastating consequences including potential for life and safety impacting.
Traditional attacks in manufacturing with noticeable impact are ransomware and denial of service, which could result in downtime and lost productivity. Recent examples of ransomware and denial of service attacks in the oil and gas sector have resulted in disruptions to operations and loss of productivity for multiple companies. Production stoppages were required to address potential life and safety impacting failures resulting from cyberattacks.
Q2: What is your advice for companies looking to baseline and start their OT security journey?
First, companies need to assess where they are. The current state analysis in manufacturing requires both an OT and IT view. While an assessment may have been completed on the IT side, organizations also need to understand and prioritize what exactly needs to be protected and their OT vulnerabilities for a comprehensive view of the risks across their factories and plants. A critical enabler for this assessment is the inventory of IT and OT assets with adequate information to support decisions about risks and security controls to protect these assets.
Establishing a baseline of OT security and plan of action for desired posture requires the use of established assessment framework. This ensures a systems approach to evaluation of current environment and practices. It also allows for a roadmap for improvements structured and informed by a set of industry recognized “good/best” practices.
The use of a framework allows consistent evaluation and identification of gaps relative to expected controls and risks, considering the risk appetite and other environment specific factors. Example of industry recognized frameworks are standards from the National Institute for Science and Technology (NIST), and the Center for Internet Security’s critical security controls (CIS’ CSC top 20).
Following the assessment, identification and classification of the gaps relative to the assessment framework, a plan of actions and milestones based on prioritized risks determined by the desired posture should be developed.
Where possible, an integrated platform of technology solutions is recommended for addressing noted gaps. This approach accounts for the need for multiple technology tools, while also emphasizing the need for integration for ease of management, comprehensive and effective treatment of security risks across manufacturing operations.
Having completed internal assessments, established a baseline and a roadmap for desired security posture for the operations, an evaluation of the risks from the supply chain is also needed. Some of the same tools that were used for internal assessments can be leveraged for this purpose. Risks posed by interactions with suppliers can be significant especially for critical collaboration partners with access to information assets on the factory floor and other business data.
MxD invites SMMs to see our cyber-physical demonstrations of live exploits of vulnerabilities on manufacturing equipment on our factory floor in Chicago. These demonstrations include our model of a water treatment plant and actuators. The key takeaways are the potential physical impact of cyber-attacks in manufacturing operations. Also, MxD can assist with required assessments and remediation work leveraging the expertise of the partners in our ecosystem. For additional details, please visit the cybersecurity section of the MxD webpage, sign up and join our free webinars (live and recorded) such as the one we recently had on “cybersecurity while remote working” and additional webinars planned.
Q3: Once IT and OT converge, they can effectively work together to create an advanced manufacturing environment that is productive, safe and secure. What are the steps these teams should take and the questions they should ask?
Step 1 is to cultivate trust and information sharing. The key challenge for OT and IT convergence is trust and lack of knowledge-sharing. Factory floor is often the domain of operations technology (OT) professionals, who traditionally, have a distrust of IT staff. OT staff often have minimal knowledge of information technology and practices required to support business operations.
Conversely, the IT staff lack enough knowledge and default to treating OT security needs with IT-centric practices and tools.
Convergence is therefore a journey based on shared-knowledge and building of trust between the two groups.
Key questions that should be asked to assure productive, safe and secure OT/IT operations are:
1. What are the key differences between OT and IT?
2. What does OT staff need to know about IT; and IT staff need to know about OT for effective operations?
3. What are the protocols to be observed by the teams (OT/IT) for effective coordination and management of IT/OT assets?
4. Is there a single technology platform for the management of OT/IT assets? This allows for joint-ownership and management of these assets.
5. What are the cultural changes that are required for collaboration between OT and IT staff?
6. Who is the champion/leader to facilitate, sponsor and enable the collaboration and convergence for optimal results?
7. Is there a roadmap and timeline for OT/IT convergence?
8. What are the interim steps required to get to optimized OT/IT convergence?
9. What are the key risk/performance indicators and expected outcomes of an adequately converged OT/IT security operations?
10. What degree of convergence is desired and/or enough for the realization of effective, safe and secure operations in advanced manufacturing operations?
Q4: What are your predictions on industrial cyber security in 2021?
Predictions for Cyber security in 2021 include:
- a. The pace of adoption and application of emerging technologies for efficiency and security in manufacturing will speed up. Primary technologies are machine learning, artificial intelligence and quantum computing. The cybersecurity implications of the application of each of these technologies and perhaps, a combination, cannot be overlooked as the benefits of these technologies attract adoption, they will also be exploited by malicious actors.
- a. The commoditization of hacking tools through low-cost and freeware designed specifically to target manufacturing equipment and growth of additive manufacturing enabled by 3D-printers will increase the frequency and scope of cybersecurity attacks in Manufacturing.
- b. Better awareness and attention applied to the cyber security by manufacturing companies – driven in part by attempts to comply with emerging cybersecurity regulatory requirements will force manufacturers to improve their security postures. With changing regulatory landscape around privacy and secure handling of contractual and other private and government data, manufacturers will be compelled to make incremental progress in their cybersecurity practices. Though compliance may not equal security, it however, forces changes and could be the impetus for overdue and needed changes to security practices.
Q5: We can probably agree on the fact that cooperation is key. How do you think we can achieve industry-government-academia cooperation to build the components of an ecosystem security framework?
Cooperation among industry, government and academia is crucial to an ecosystem approach to security of Americas infrastructure. To achieve this goal, institutes like MxD sit at the nexus of government, industry and academia and plays a key role in convening these stakeholders to build the collaboration necessary to advance shared cybersecurity goals.
Each stakeholder in this ecosystem has a role to play to assure of the goals of a more secure ecosystem. This approach recognizes that the strength of the ecosystem is measured in the strength of the weakest link in the chain.
Academia through research and curriculum development equip students (traditional and non-traditional) with the skills that are needed to support security objectives for industry and government. The Government should foster an environment that promotes innovation, and industry should be in constant partnership and coordination with both academia and Government to ensure their needs are properly articulated and informs research funding by government and the curriculum development needed to create a pipeline of future cybersecurity workforce with the required skills.
To further enable the level of coordination required to address these challenges, MxD holds a series of workshops, bringing together industry, government and academia with the result being a portfolio of projects across readiness tiers to enable early and later-stage research and development. While academia provides a pipeline of early-stage research work, the make-up of MxD’s project teams by design, allows the opportunity to advance early-stage research closer to manufacturability with funding (matching) support provided by government.
Creating tighter collaboration among government, industry and academia will allow alignment of goals, funding and research in priority areas for government and industry and shorten the time-to-market and development lifecycle from conception or ideation to production. You cannot underestimate the power of convening. By getting diverse groups of stakeholders with a common objective, progress can be expedited on the resolution of common challenges.
Thank you to Chandra & Akin for the insights shared during this interview and for their involvement in the upcoming ManuSec USA Summit in Chicago.
Keen to learn more about cyber security for the manufacturing industry?
Join us at ManuSec USA, October 13th & 14th in Chicago, to connect with manufacturing security leaders from across the US as well as hearing from expert speakers including:
- Arun DeSouza, CISO at Nexteer
- Arvin Verma, Cyber Risk Management Specialist at Pepsico
- Yancho Gerdjikov, Regional Security Lead at Nestlé
- Lisa Tuttle, CISO at SPX Corporation
- Michael Elmore, VP OT Security at GSK
- Ismail Guneydas, Cyber Security Assurance Manager at Tesla Motors
View the full line-up and check-out the online agenda here.
Visit: usa.manusecevent.com to learn more.
