Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES...The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!
TAP INTO YOUR INDUSTRIAL SOUL, RESERVE YOUR COPY NOW! BE BOLD. BE BRAVE. DARE GREATLY AND CHANGE THE WORLD. GET THE BUSINESS BEATITUDES!
SUMMARY KEYWORDS
ot, rockwell, talk, governance, controls, cybersecurity, Ahmik, asset, cyber, standards, industrial, ransomware, protect, systems, great, assessment, procedures, vulnerabilities, manufacturing, policies
00:03
Welcome to the Industrial Talk Podcast with Scott MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting-edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's go
00:21
once again, thank you very much for joining Industrial Talk a platform that is completely and solely dedicated to industrial education, and celebrating industry professionals all around the world. Because you're bold, you're brave, you dare greatly you innovate. You solve problems, you collaborate, you're making the world a much better place. That's why we celebrate you on this platform. We're talking cybersecurity. Yes, you're saying to yourself, sky. cybersecurity, you need to know about it. You need to know how important it is in your life. And as with Rockwell, a gentleman by the name of Ahmik, Hinman, and he knows his stuff. He knows his stuff. The conversation is great. Paper and pencil. Let's get a crack. And yeah, you want to you want to be digitally connected. You need to focus on that guy on cybersecurity side be protected. We need for you to succeed. That's what they're all about at Rockwell. You success? Again, why not celebrate? Let's celebrate all these wonderful leaders and professionals. One of them. And you're going to have all the contact information for this gentleman out there on Industrial Talk because you need to connect with him. How about that for a plug? Here's another plug. We have this, this platform. And and it's because we're so dedicated and just passionate about education and the speed at which industry moves specially today, we need a way of being able to actively educate from the leaders from around the world in all topics in industry, so that you can succeed. Industrial Talk is that ecosystem. If you have a Podcast, right, let's say Scott, I got a Podcast. And I've had people talk to me about this. I have a Podcast. And it's out on the typical platforms, typical Podcast platform, not getting much traction, Industrial Talk, we work very hard to drive individuals and companies to this platform, so that they can access the information they need. And it might not just be from me, it might be from other companies that have, you know, found out a solution that they want to share. That's what this is all about. So if you have a Podcast, if you have videos, if you have blogs, and you want attention, you want to gain and help help educate industry inspire next generation leadership. It does real talk. So talk to me go out to Industrial Talk.com and say, Scott, I'm interested, we have a Podcast, Scott, we have videos we want. We want to participate in this media ecosystem so that we can get our message out as well as educate the future. Because I just I'll be frank, we do a poor job at telling our story. We need to do a better job at that we need to do a better job at inspiring the next leaders and why it's important to be involved in industry, and why it is cool, and why it is something to pursue with vigor. That's what we need to do. And to do that we need to educate and because you're part of the platform, you get to collaborate with all the other participants. Yeah, yeah. And I'll take care of all the other stuff. Industrial Talk. If you're saying Scott, I don't even know how to really edit it. Okay. I'm here. Just ask me. It is it's important. All right, cybersecurity. Ahmik is in the hot seat. Great conversation. A must paper and pencil. So enjoy this chat. Ahmik Welcome to Industrial Talk. Thank you very much for finding time in your busy schedule all the way up in Idaho, and running some cybersecurity workshops said earlier. That's pretty cool. That's pretty cool. And yes, listeners. We're going to be talking about cybersecurity because you need to know about it. That's how important cyber is and I know you're saying to yourself, Scott, I need to and amik is a As Matt has mad skill, so we're going to be enjoying it. So before we get into that, because you have Mad Skills give us a little background on who Ahmik is and where you come from.
05:12
Yeah, I grew up in the northwest, north Spokane, Washington, went down to Washington State University got my Bachelor of Science, double E, and then went to work for Rockwell. So I've been with Rockwell for about 27 years, focused on industrial control systems. So and then the last kind of five really hyper focused on our networks and cybersecurity products and solutions.
05:34
Do you know where Grays Harbor is? Yes, yeah. I built a terminal in Grays Harbor. We're both liquid terminal. And I would, I would fly into Seattle, head south turn right at Olympia, head to the coast, beautiful, beautiful, like Spokane to beautiful stuff. All right. We're gonna be talking about everything that we're going to be talking about, it's going to be cyber related. And and specifically, as it pertains to some standards. Give us just a just a overview, a quick overview, a primer to these standards that are coming out, and why it's important. How is it different? You get the picture? Yeah, on these standards?
06:23
also have standards like IEC:07:08
for clarification, and i s t, that's out that's, and that stands for the National Institute of Standards, and technology continue.
07:18
That's great. Yeah. And so there's a lot, there's many different standards that NIST has. They've got a standards and guidelines. You know, there's, there's one that's called 800, dash, a to our three, initial public draft, and that's a, like a 280 page page document going through holistically how to secure, you know, recommendations and guides to secure industrial control systems. You know, that standard also references and this cybersecurity framework, and that's the one that was was is most, you know, it's out for public comment right now. It's supposed to be ratified, I think, by November 3 of this of this year, in the big change that was made in from the 2.0 standard from the 1.1 is really this adoption of governance in the wrapping around governance around that cybersecurity strategy. And, you know, the different policies and procedures that we're, we're trying to implement it we can eat, we need to get that management buy in, in order to have an effective solution. Right? Because, you know, for example, today, it today we have, he looked at majority of applications, they don't have an OT in the manufacturing space, and OT patch management strategy. You know, there's not a disaster, common disaster recovery strategy, we don't have, you know, cyber risk management strategy for OT, it has a lot of stuff. But oftentimes that doesn't carry down to OT. So you know, that that's the intent of, of that standard, really, to get the common language, get the adoption from the management team. So they define what that risk, what is tolerable risk, and then we define our controls around that, and make sure we get common adoption throughout the organization.
09:05
So we're talking specifically or in general, this OT it merge, because you're absolutely right, the OT side has always been well, operations. And this is how we roll and this is what we do. And this is how we keep the you know, the wheels turning, but as we become more connected, and as we become more dependent on those controls being connected and the data associated with that. It's imperative that that that change, and you bring up an interesting point about governance. Does the standard though the draft standard, the two Dotto standard, help manufacturers establish the governance and like here are the parameters sort of in general and then you can sort of customize it to meet your needs.
10:00
Yeah, it is it is, you know, we talked about is the Cybersecurity Framework, and it really is that providing different categories and classifications and within that, you know, the public document that 2.0 How for comment, it has references to other NIST documentations, where they talk about how do I implement controls? Or what is what does cybersecurity risk mean, and those get into very specifics on, you know, here's what you should do. So think of this, really, that framework is really just providing a common language of how we reference this, and how we start to classify this, and we need to go through a very methodical process when we're looking at, you know, a deploy, deploying, you know, controls, in a defense in depth manner. And we talked about that, you know, for years, it's, as much as I like a single solution, like Factory Talk, security, security, that's, that's just one little aspect that's down at the application, the device layer, but we need to layer on multiple controls, and those, those are those controls are all part of this classification within the nest of the, in this case, the protected category, but there's, there's a govern, there's identity, there's protectors detect, there's respond and recover. So those are the, you know, really the six different categories that that are included in the new
11:20
framework, you rifled through it as I have gone. Gosh, these are, these are points that we've got to sort of expand upon, because here's the reality. The the auto manufacturer, it's, it's new for me to be really thinking I thought it it is dealing with all of the cyber stuff, let it deal with a cyber stuff and keep current and whatever that might look. And now as we begin to go into that ot environment, and and recognize that that's important. How does, how does you Rockwell Automation, take me on a journey to be able to be in to embrace these various layers? Tell us to walk us through that? Yeah, so, so
12:07
ucing products, you know, for:13:01
right after the it. Guy, so
13:06
it's basically just, you know, that assessment process is typically where we start to really get an understanding of what they're doing today. And then, you know, understanding how that aligns with the goals of the organization. And then, you know, associated that with, with dollars that are available to, to go after, and in potentially mitigate some cases, upgrade if they've got legacy equipment that's no longer available and can't patch it up.
13:33
So what I hear you saying if if this was correct, when I go through the assessment phase, what do you got? And that's really what it is. And you're able to identify some vulnerabilities. Is it possible for me to say, Okay, I've got this amount of money available to to help move this business or move this process forward? Can I do it incrementally? Do you sort of categorize or prioritize, say, and don't let that one go? First? Yeah, that's okay. That's all for now. And it's not but don't, you know? Yep.
14:09
Yeah, exactly. That's part of that assessment process. So there's, there's something called kind of this crown jewels assessment. So you understand, you know, what is the most critical asset in your facility, and, you know, if I have my air supply for the entire facility go down. And that's, you know, and that or that system goes down and affects the entire process well, and it has a legacy control system on there. That's not protected at all. Well, that's probably going to be one of the ones we're going to want to target. Right away. Right. So yeah, most companies don't have it, you know, unless it's a greenfield facility where you're starting from scratch and you've got capital, you know, already allocated, it can't come in and do all this all at once. So, yeah, definitely we working with them to identify most of the most critical assets kind of build a strategy in place to say, and here's a plan. We'll do this incrementally. We'll address this face. We'll do some segmentation were put in the right products in place like you know, the switches. So we can, we can monitor and tie that into an OT intrusion detection solution, and then just kind of build upon that.
15:11
See, it seems to me that that there's a, there's a really neat dovetail marriage that can exist between my asset management reliability strategy, because I'm going to have my asset criticality, hopefully, I've got my asset criticality, laid out like that motor is more important than this motor, and so on and so forth. And then be able to overlay that with your assessment of say, yep, that's an important motor. And if that goes out, it's because well, whatever it might be, and we're pulling off, it's connected in some way, shape, or form. Does that that makes sense? Yeah,
15:45
yeah. And that part, that's part of that asset strategy to make sure you have, you've got the backup for that program. Right. So that's part of the assessment to evaluate, you know, I'm still surprised them. And depending on the manufacturer, there are some systems where they don't have an effective backup and change management program. So if that system has, you know, is infected with ransomware, we've had this happen in manufacturing, in some cases, number one target for ransomware, because of unpatched operating systems and applications. And in several cases, they might have a backup, but they failed to make a backup of the backup, right? If I've got, if I'm leveraging one of our products called Factory Talk asset Center, which is a way to check in and check out stats, I can schedule and go perform an upload and insert in the database. That's, that's a fantastic solution. But if I don't backup, my SSN, or database, which is a SQL database, and that gets affected by ransomware, now I get to rebuild everything. And we've had that happen to a couple of customers, unfortunately, a
16:45
seat, but you're bringing up an interesting point. So it's, it's one thing to provide an asset, an assessment of my operations. So it's great, it's good, it's necessary, gotta make it happen. But the other side of that coin is sustainable. And sustaining that effort. Right? Right. How do you how do you work in the world of change? Excuse me, World of change management? To ensure that this was a, this was a long term commitment, this journey? How do you? How do you work with that? Well, so
17:19
some of that goes back to the requirement on governance. So, you know, we have, if I, if I don't have policies and procedures in place, saying, you know, thou shalt use assets center to manage your, you know, control system, it, you know, all your changes, you know, you're agnostic, check in and check out programs, then I'm going to, you know, if I don't have policies and procedures in place, some people want to follow it. Right. So having that governance, that management by and saying here is how we will manage our changes, and then providing visibility into in terms of, you know, reporting, and we've have a lot of that integrated, and there's ways to exfiltrate that data and centralize you know, so I can see a show me what changes have been made from plant one to plant two, by vulnerabilities that are associated with that, and the longevity status of those those assets. So, you know, providing that visibility to enforce the governance, you know, the saying, hey, yes, they are following it. I think both of those really kind of go hand in hand to make sure that that system is sustainable and maintained.
18:24
How do you combat that? Having, having insights into your, into your OT, environment, and just business as usual? And then things just happen? How do you programmatically have insights into your assets and ensure that the proper firmware security, whatever it might be, how do you keep current with that?
18:53
Well, so So one of the best ways to do that is if I'm passively detecting there's a combination of passive and active work, where I've, I've got an OT specific intrusion detection solution. So you know, Rockwell delivers clarity, Cisco cyber vision, suit and drag goes. And right, so we have, we would deploy that in the OT space where I'm, I'm capturing that traffic, I know what what is normal activity. We can, you know, there's signature base and heuristics so we can determine if there's deviations from baseline. If that engineer has never downloaded to that controller before we're flagged, you know, that it gets flagged. And as part of that, you're gonna, you'll be able to see that ot specific traffic, understand the firmware versions that are that are being sent, correlating that to the latest vulnerabilities. So that's probably the best way to do that. Now, there's some cases where I can't actively, you know, passively scan that network and see all those different devices. A prime example is if you know our control logics chassis, it's a chassis base. One Ethernet card, I've got a backplane. And I've got another card, I might have some sub networks there, that data is never traversing that switch where I'm monitoring it, I'm not going to have visibility. So, you know, sparingly, we would do some protocol specific active scans to discover those assets. And so in combination with that, if I've got, you know, good coverage that I'm going to have ability to stay on top of that firmware, what's out there, and again, correlate that dynamically to the latest vulnerabilities.
20:32
You briefly and we hammered on the assessment side and what to do. And I love it, because I always look at the people. I just, it's it. I never really, I never stumbled on the technology. It's always sort of the how you in the world from my perspective in the world of manufacturing, in cyber, it's always gets down to the people. Can you You briefly mentioned that you rifled through it briefly? The it was seven? So take us through those seven points.
21:06
Even as far as the different categories,
21:08
yes, layers. Yep. So when I
21:12
present the fact I did this, this morning with with a bunch of customers, presenting the NIST cybersecurity framework, and we talk about and align that this framework to really that attack continuum, that before, during and after. And within those classification, and before it's that really identify, identify and protect the durian is that detect, and the after is respond and recover. And, as a rapper, I like to show it as a wrapper around that is the governance piece, that's part of the 2.0 framework. This, if you take a look at theirs, they put they put it kind of in the center, but I really think it really should be on the outside. And so in my infographic that I use, I show that as is really the the outside in managing the policies and procedures that support those different areas. And so, there's different controls within each one of those areas. Yeah.
22:07
So we've got before, during and after and under, under before you ID and protect during his governance during
22:15
I can detect. Okay, detecting it.
22:18
Ah, all right. Yeah. And then. Yeah, yeah.
22:26
Okay, question I always get, that is always a pull up. If I'm a manufacturer, and I've got my, my policies and things are in place, and I'm properly protecting, then I'm detecting or protecting and detecting Is there a way that I can sort of in a, in a, in a community way to be able to share, like, hey, hey, this was sort of the new thing that we saw over here. This is how we, you know, recovered from it. This is where them, you know, do you get what I'm saying? Is there like a body that says, Yeah, okay, that's new, because it always changes. Right?
23:16
Yeah, and so there are different, you know, groups out there that provide that as a service that, you know, the threat intel, to say, here's the tactics and techniques and procedures that this ransomware group is utilizing. And by the way, they're attacking, you know, this specific, they're going after critical infrastructure and targeting, you know, energy or food and beverage, and, and so that we can incorporate that threat feed into the protection systems and detection systems. So that you can be alerted based upon some tactics and techniques that you're starting to see and see if you can attribute that to that specific group and, and hopefully mitigate that.
24:00
So, what I see is a picture or a picture that we have in place, strategies around before, during and after we have the systems in place to be able to be more proactive, be have that passive and active assessment or identification within your operations. Now, the role of the governance body what are some of the rules of saying, Hey, we had come together and it's like, everything's fine, everything's fine. We've got everything in place, everything's identified, or what give take us through a little role play on on the governance, what like what they do?
24:44
Yeah, so So the governance myth classifies those in different categories. You know, they start with this organization context and risk management strategy is a supply chain piece in that there's roles and responsibilities and authority and then there's content comes down to the policy. These are procedures and oversight, how are we going to enforce this? So it really depends on what we're talking about. If we're, if we're looking at, you know, patch management, which is what I, I tell customers, hey, we got to segment the network between it and OT, manage and monitor that restrict the data flow, and deploy a patch management strategy come up with a patch management strategy, and that those combinations would mitigate a lot of the ransomware that we're seeing effect in the control system. So that patch management requires a policy and procedure and process how are we going to do that in the OT space, because patch management is totally different in the OT space than it we talked about, right? See, you know, typical ITT of the CIA, the confidentiality, integrity availability, and that's reversed on the OT and manufacturing side, right? Availability, integrity and confidentiality. So we have critical systems, some are life safety systems that have to run 24/7 365, right, you can't just deploy a patch on that. So now I get to deploy some mitigating controls around that. So you have to have that kind of baked into that policy and procedure, and develop a patch management strategy specifically for OT. So that's where that kind of governance comes into play. Right? Now, oftentimes, we see that there's not, it's, it's really up to that engineering manager, or maybe that person that's responsible for maintaining that how they're going to protect that, and that's not going to be consistent from facility to facility, or even within the facility, right.
26:38
You know, for lack of a better term, if I had didn't have my headphones on my ears would be bleeding. Because there's a lot, but it's, it's manageable, meaning if I, if I find myself aligning with Rockwell Automation, in this particular conversation, the only way I know that I'm going to be able to effectively, you know, manage what's going on what's what's happening out there in the cyber world. I have to find trusted cyber experts, i There's no other way. And keep me manufacturing guy doing what I do best, and that's manufacturing, and, and allow the technology and the policies and procedures to do what they do best. And that's keeping my business up and running and protect it. That's how I see it. Yeah. And it could be incrementally, right? It doesn't have to be big bang. So that's great. I don't know. It's just good stuff. It's a
27:47
challenge. To get to that point, the oftentimes we see the OT side, if the company's big enough, hiring somebody specifically to manage security, and be the also the liaison internally between the OT and it side. Sometimes that that expertise comes from the enterprise side. And then they have to basically be taught, oh, team, what's different and how it's unique. But, but even that one person, even though they're allocated and assign to that, there's just so much to know, they cannot, they got to basically rely on outside sources to help.
28:25
So I was just going to say, this is sort of a really clear example of a managed services sort of relationship. Because if I, if I brought somebody on board, and that individual probably has the chops that are necessary for you know, today, it's the dynamics of the market, where if it's a Rockwell Automation, you just, you get, you get all that greatest latest and greatest information where I, I might be just an island. So it's a great managed services model. Right.
29:00
And we do that for customers, regardless of whether they're Rockwell or we manage other assets that are non Rockwell so it's you know, rarely is it all Rockwell I'm in some cases, like I said, on a greenfield facility, sometimes, you know, we're working with closely with the customer and they want to standardize minimize spares, minimize training requirements, then, you know, then then majority of that facility, Rocco, but oftentimes you have a mix, right? So we have to deal with for them.
29:29
Yeah, you're not gonna, you're not gonna let them hang. Like, sorry, we noticed that 20% of your asset base is Rockwell and you're all you're on your own for the ad, you know, no, that's not gonna that's not gonna fly in any. Any situation. All right, as we wrap up, somebody's listening out there. They want to know more about NIST. They want to know more about how to properly protect their business. How do they get a hold of you?
30:00
I'm on LinkedIn, they could reach out that's probably the easiest way. Just find me on LinkedIn and reach out that way. And then we can we can touch base and chat and provide additional contact information there. But if you just do a search for bombing it's ah mi K, last name Hindman. h i n d ma N. You'll find me on LinkedIn and
30:21
well, fear not listeners. I'm going to have omics LinkedIn link out on Industrial Talk. So you don't you don't give me an excuse that you can't get a hold of them. Because it's out there. It does real big time. You were absolutely wonderful. Love the conversation. There's a lot more to be chirped about. Oh, cyber. I don't know how you keep up with it. I don't I don't know. And again, for me personally, if I'm a manufacturer, I just really just want that to be taken care of and that I can sleep at night knowing that my assets are properly protected. And, and I don't have too much. There's no friction on my end. That's all right. Yeah. Excellent. All right, listeners. We're gonna wrap it up on the other side. We're gonna have all the contact information for amik out on Industrial Talk. Stay tuned, we will be right back.
31:14
You're listening to the Industrial Talk Podcast Network.
31:25
Boo Ahmik. Right there. reached out to him. His Lincoln, stat card is out on Industrial Talk.com. So make sure that you do the right thing. And on your To Do Lists reach out to omics Rockwell is the company. Yeah. Yeah. Absolutely. All right. Again, let me just reiterate this. We need to tell our story. We need to tell our story in a way that is engaging. Industrial Talk is the platform, you have a Podcast and you want greater traction to it. It does real talk you you have videos, you want people to watch it, Industrial Talk, be a part of the ecosystem, this media ecosystem. It's easy. You just reach out to me and say, Scott, I want to be a part of it. There. That's the process. Nothing more, nothing less than we start working together. And then we start to gain that traction that you need. Be bold, be brave. They're great. Hang out with them, change the world. We'll have another great conversation shortly.