Loading Episode...
The Industrial Talk Podcast with Scott MacKenzie - The Industrial Talk Podcast with Scott MacKenzie 14th June 2021
Richard Ku with Trend Micro and txOne Networks talk about Cyber Security Challenges with Digital Transformation
00:00:00 00:28:57

Richard Ku with Trend Micro and txOne Networks talk about Cyber Security Challenges with Digital Transformation

In this week's Industrial Talk Podcast we're talking to Richard Ku with txOne Network and Trend Micro about "Cyber Security: Digital Transformation Challenges Facing Industrial Organizations".  Get the answers to your "Industrial Cyber Security" questions along with Richard's unique insight on the “How” on this Industrial Talk interview! Trend Micro Event:  Cyber Security Perspectives.  Hold Your Seat Here. https://youtu.be/jjVYi2OIBG8 Finally, get your exclusive free access to the Industrial Academy and a series on “Why You Need To Podcast” for Greater Success in 2020. All links designed for keeping you current in this rapidly changing Industrial Market. Learn! Grow! Enjoy!


Personal LinkedIn: https://www.linkedin.com/in/richardku1/ Company LinkedIn: https://www.linkedin.com/company/trend-micro/ TX One Networks Company Website: https://www.txone-networks.com/en-global Trend Micro Company Website: https://www.trendmicro.com/en_us/business.html



Other Powerful Cyber Security Resources:

https://iiot-world.com/ics-security/cybersecurity/whitepaper-integrating-security-into-the-iot-strategy-in-the-new-converged-environment/ https://us-cert.cisa.gov/ics https://www.waterisac.org/ https://www.trendmicro.com/us/iot-security/



NEOMhttps://www.neom.com/en-us CAP Logistics:  https://www.caplogistics.com/ Hitachi Vantara: https://www.hitachivantara.com/en-us/home.html Industrial Marketing Solutions:  https://industrialtalk.com/industrial-marketing/ Industrial Academy: https://industrialtalk.com/industrial-academy/ Industrial Dojo: https://industrialtalk.com/industrial_dojo/ Safety With Purpose Podcast: https://safetywithpurpose.com/


LifterLMS: Get One Month Free for $1 – https://lifterlms.com/ Active Campaign: Active Campaign Link Social Jukebox: https://www.socialjukebox.com/

Industrial Academy (One Month Free Access And One Free License For Future Industrial Leader):

Business Beatitude the Book

Do you desire a more joy-filled, deeply-enduring sense of accomplishment and success? Live your business the way you want to live with the BUSINESS BEATITUDES...The Bridge connecting sacrifice to success. YOU NEED THE BUSINESS BEATITUDES!


Reserve My Copy and My 25% Discount


SUMMARY KEYWORDS cybersecurity, organization, industrial, business, digital transformation, guidelines, digital transformation journey, important, understand, big, trend micro, podcast, industry, conversation, ot, running, number, challenge, requiring, system 00:04 Welcome to the industrial talk podcast with Scott MacKenzie. Scott is a passionate industry professional dedicated to transferring cutting edge industry focused innovations and trends while highlighting the men and women who keep the world moving. So put on your hard hat, grab your work boots, and let's get All right. Welcome to the industrial talk podcast, your single location of all things industrial, because we celebrate you the industrial hero, you are bold, you are brave, you dare greatly. You solve problems. You're changing lives, you're changing the world. You're the dream makers. You're the miracle workers. That's why we celebrate you on this podcast. This is podcast number two, in our series on cyber security when you're in digital transformation, when you're saying hey, and I've talked to a lot of people near saying, Hey, we want to go down this digital transformation journey. Yeah, cybersecurity, let's get cracking. Yeah, you can't you can't just sit there can't just sit there and say, Oh, yeah, we want to go down digital transformation, which you should, which is important. It is necessary to create a business of resiliency, long term success, competitive advantage, you name it. It's important. And there are incredible individuals out there credible companies that are that you need to contact. And of course, they've been on the industrial talk podcast, because we're all about the need to educate, collaborate and innovate. So that's what we're all about. Now. This is podcast number two. This is with Richard Kuh. He is with Trend Micro. And I like their tagline. Here's the tagline securing your industrial digital transformation journey. Yeah. And on this particular conversation, we're going to be talking about industry business, technical challenges with organizations on their digital transformation, journey. Yeah, that's what we're doing. However, however, grab your paper and pencil because what you've got because this is cybersecurity, we're celebrating cybersecurity. Here, we're celebrating the people, like team Trend Micro boom or TX one, right. That's another nother company, same parent. But anyway, we're celebrating cybersecurity this month, just because we talk about digital transformation. We keep on sort of overlooking that cybersecurity side. So with that said, there's an event and it is June. Well, it starts June 15. If you're in the Asia Pacific area, or the Middle East, Africa, Mediterranean, it starts at that time. Or if you're in the Americas or Europe, June 16. It is live, right? But they're gonna be pumping it out. And I will have all of the information the times and how to save your seat. Yeah, it's global baby. And it is necessary. And it's important. And you're going to be hearing from Eva Chen. And she is the co founder and CEO of micro trends. So they've been around a long time, she's seen a lot. And I highly recommend that you do that if you're on this digital transformation journey. Alright, let's get on with the podcast. Once again, this is number two, if you haven't listened to number one, cybersecurity threats, challenges and risks. Go out there. It's out there. It's published right now. This one's going to be industrial business and technical challenges facing organizations as they go through digital transformation, important conversation. Richard nails it? Of course he does. And here it is. All right, Richard, welcome back to the second installment of the Trend Micro cybersecurity, caught, you know, conversation and we're going to be talking on this particular podcast, industry, business and technical challenges facing industrial organizations as they go through their digital transformation. slapping journey. Richard, how are you? Good. Good to be back. Scott, and I good to hear from you again. I am telling you that I'm hypersensitive to cybersecurity. I'm hypersensitive to what is taking place, specifically with industry and their desire to go down the digital transformation road. But a big component of that is of course, their cybersecurity and being focused on that. What are those challenges that we are talking about in this industry? And the technical challenges in industry? 04:54 Yeah, so I think like every other industry, right, I think over the last I was, you know, many decades as organization going through that transformation. But, you know, regardless of you know, if you look at back in the 90s, were, you know, that you had that transformation from, you know, desktop to server and client server architecture to wide area network, the internet now, virtualization cloud Ryan, every time you see this transformation by every other's decades, you do have a, I will say, level of concerns when it comes to cyber security, because as you transform the organization, you will open up more vectors and more threat vectors for the organization, and is very similar to this digital transformation, you know, also in industry, or in industrial space as well, you know, when you go from an industrial 1.0, right now to 4.0, you see that big changes, and you start to see more, I think drive vectors, you know, coming around. And so, definitely, there is a lot of business and technical challenge facing many, you know, organization. One specifically, I think one of the biggest one is, you know, we talked about the lack of domain knowledge, or expertise out there in providing sufficient cybersecurity knowledge and, you know, adding countermeasure for organization, and that's a big one, I think, today, we are facing a big challenge in that for many organizations, right, because, you know, lack of expertise are the second big one, I think, as organization going through this conversion between it ot right, you know, you have a very unclear roles and responsibility between the IT organization in the old tea, and that have not yet been fully defined. And you're not clearly defined by many organizations. So that is a big challenge, I think, for many organizations as they go into transformation, right? Because traditionally, all the cybersecurity are typically managed by the you know, it, folks, and now you're adding this additional component that creates, you know, that big challenges. We also talk about, kind of the third thing is all this legacy liability, right, you know, you got some of these environments on this platform. And some of these networks have been around for decades. And, you know, many of these systems are all right, you know, especially if you have a SCADA system or ATM machine running Windows seven, or Windows XP, and those environment is Oh, it doesn't get updates or patches. Right. So that's a big challenge. And so that legacy issues become very, very important thing. The fourth thing I think, is a big, you know, I think business challenge is you have this, I will say organizations tend to pursue, right, the economic, overall, this cybersecurity, right, me, meaning that they tend to, you know, focus maybe maybe on a business or color, you know, cybersecurity is kind of the secondary, you know, I think, and so, this is a big challenge. And I think we can move at the cyber sphere to be, you know, I think side by side with each other, right, you have to have the same priority, as part of your planning or, you know, of your business plan. And I think the fifth thing is also kind of that return on the investment, right? Oh, I, you know, sometimes it's very difficult for, you know, organization, for example, I turned Microsoft wants to go talk to, you know, company about cybersecurity. And, you know, sometimes they say, Well, you know, what's the Oh, you know, how do you prove that return on investment? Right? So it's I always telling people, it's like, you're buying insurance, right, you know, you got to buy insurance to cover yourself in case something happened, right, you are protected, or you're, you know, at least you're good coverage. And that's kind of some was similar to kind of like, you know, cybersecurity for the, you know, ICS or the industrial control environment. Now, of course, I think that the other big challenge, you know, we are seeing a lot lately, it's also some of this regulation or compliance, right. Or some of the executive order, you know, from the government, right. So, for example, the recent executive order from President Biden, right, also, you know, making as I think, some kind of guideline for organizations to start to put in place a cybersecurity plan for the, you know, critical infrastructures. And so, those are some big, you know, interesting, but also, regulation, that is a big challenge for many businesses. So, I would say this is someone that big four or five items that you know, is really a big challenge for many organizations. Alright, listeners, 09:54 let's let's summarize real quick on what we're talking about here. The first one is Lack of domain knowledge, big business challenge. It ot convergence. Absolutely agree with that. Legacy liability, that's number three. Note that out that's, that's really interesting organizations in pursuit of economic benefits versus that need to look at their cybersecurity element. Number five would be the return on investment ROI, sort of from a cyber perspective, and companies or customer perspective, difficulty in trying to quantify the value of cybersecurity. And finally, number six, the regulation and compliance and, of course, executive orders coming out of DC that are requiring businesses to implement or have guidelines. Very important. Let me let me go back back to the number one, when we start talking about lack of domain knowledge, how do we solve that? What do we do to solve lack of domain knowledge? 11:07 Yeah, I think there are a lot of things that I think our organization can do, right, you know, for example, as an industry, right, you know, we are started to, you know, go out there, and really educate and train organization about cybersecurity, but also, you know, out of the university and some of the college right, where, you know, you just started to see many, you know, I was a university start to provide training, education and certification or program, our degree program on cybersecurity. Right. So I think that's one way that we can actually really increase the level of I think, you know, expertise out there. So I think that will be very helpful. I mean, today, I think we have probably more than a million plus, you know, I was a cyber security, I have not been filled in, I think that will really help by by having more expertise out in the field. So that's one thing. Hold on, hold 12:04 on, I have to interrupt you just about a million plus openings. Did you say? 12:10 Yeah, I think last year, when I look at the numbers, you know, from some statistics indicate that there are more than a million jobs that need to be filled, when it comes to cybersecurity. Right. And, and that's really a challenge for organization because especially when understanding both the it and ot environment, because, you know, having it scale is one thing, but having both the it and ot or industrial control, cybersecurity expertise. And, you know, I think experience is that's a really big one. 12:44 What do we do about it? And I'm going on to the next one, I like how you answered number one. Number two, how do we address and gain greater synergies between it activities and ot activities? 13:00 Well, I think that there's a couple of things that I think organizers can do, right? Typically, traditionally, you don't have this, I was a conversation between these two groups, right. And they had to be more collaboration, right between the IT organization or the organization, and that need to happen. And that mean, it required, you know, let's say, doing the planning in cybersecurity together and make sure that both sides coming to the table, I have that conversation, understanding the roles and responsible who need to do what, and define clear guidelines for everybody, so then that's really gonna be able to help people on that area. In terms of this, you know, I think, roles and responsibility between it ot I think the other way to do it also is, you know, I think, you know, organization need to be to fully right, understand that cybersecurity, it is not just a it issue, when I ot issue, right, you need to really have a holistic understanding of what happened on both environment. And that also need to happen, right? I think when we start having some this conversation that you're going to be able to solve some of these, the issue right, understanding this is not just in it otas you may as a company issue. So those are some of the few things 14:21 yeah, no, you're spot on there, Richard. And what I see as a result of this, it is what it is it's industry for Dido, it's digital transformation. And if you're a company, if you're a manufacturer, if you're in water you whatever you're in, you're going to have to have that that that ability to collaborate and then have that holistic view if you want to go down the you know, digital transformation journey. It just is. No the way 14:49 Yeah. Let's talk in. Yeah, no, no, I say it's difficult for to to really address a cyber security by just looking at one little one side. You know, only, you have to have a holistic view. 15:02 I like that. Let's talk about legacy liability. What are we, outside of getting new computers? What do we do about legacy liabilities? What's the solution? 15:16 Well, you know, I think some of these environments, especially in industrial controls are some of the system have been around, you know, for decades, right, and they were never really designed to, you know, kind of reprise or you, you know, was never really part of that design or implementation. Beginning. So, some of the systems probably going to continue to go on for the next hour, you know, maybe five to 10 years, right, until a new system are put in place. And so I think there are some, you know, things that organization can do, right, you know, for example, some of these environment, even though they're running, let's say, you know, Windows seven, or Windows XP, and they are, your technology capability can help address some of this issue. Like, for example, if you have an HDMI machine running Windows seven, right, even though a lot of vulnerability, or require some patches, or there is whitelisting, or lockdown solution out there in the market that you can actually deploy in some of the systems in lockdown, or their audit type, or let's say, you know, IPS capability that you can actually put in front of some of these box, so they can filter all this traffic and make sure that they are, you know, being, you know, check and verify for any potential risk to the someone's Hmm, machine, right. So, so those are some of the things that I think company can do to address some of this, then probably last but not least, really kind of, you know, make sure that the security solution that are put in service, Environmental Design, right in the way that is for this kind of environment, right, you cannot just go down, and you know, try to, you know, pick up some, you know, it product and expect it to work on some of these, you know, industrial control systems, right. And so, you know, building an adaptable or you know, you know, adapted solution that can, you know, easily adapted to the existing infrastructure or this existing environment, I think that will be very helpful. So, those are some of the two or three things I think organization can do. Right. And they are all the things that I think, are tools and technologies, are there already as well. 17:24 Is it important to be able to understand, like, from, from, as I look at inventory to understand those vulnerabilities out there, those old legacy systems, those legacy liabilities? Is it important for us to have that, that understanding and then develop a strategy with that? 17:45 Yes, I think it's very important to understand, you know, what's going on in your networks and your environment, I think it will very helpful for you to, you know, build a good strategy or any plan to to address them in cybersecurity, right. And I think, you know, in the, you know, I would say the last couple of decades, we really more talk more tea, right, and we are all this shadow IT system, you know, bringing our BYOD stuff with that, you know, into the company. And that's also create a lot of challenge. As we go into this similar trance transformation on the, you know, the industrial control side, we will have shadow ot right, and so having a very good visibility across all these different devices. And in your organization, you know, what, how your network construction look like, I think that will really help you to plan a good cyber strategy from top to bottom. 18:41 How do you this is number four, how would you address businesses are going to always look at the economics of whatever project they're putting in place, they're going to say, we do this, we get this benefit, this economic benefit? How do we start to incorporate the necessity to bring in the cybersecurity conversation at the beginning of these conversations? 19:08 Yeah, I think that's a very important question, Scott. And, you know, I always tell folks, at least people that I speak to that, you know, cybersecurity should be part of your, you know, planning, right, is part of that early planning process, and be baked into your overall strategy. Right. And, you know, and you will be able to basically see the return as you start to implement some of this plan, you know, on the, I guess, on your strategy, or as part of the implementation plan. 19:51 I believe that it's, it's, 19:54 yeah, go ahead. Yeah. So I think like, for example, Maybe in order for us to really show them, you know, the economic right that, you know, cybersecurity can add value, right? We talked about the planning, but also, you know, we can show that, you know, having a cybersecurity strategy in place, and, you know, we can show, you know, instead of showing maybe the sea level, you know, people just a bit and by by really kind of tell them that, hey, you know, if your system go down for X number of weeks, or months, or days, right, here is a cause for, let's say, production, or here's the cost for having your system to go down, right? If you can show those kind of economic numbers, I think that will be quite beneficial. And so this way that we can do that there are in a model, you are the organization create the show that, 20:54 you know, and that's in line with number five, that is the ROI. I mean, yeah, you might invest something, it's hard to quantify it. But it's easy, from my perspective, to see the risk that exists out there, and how it applies to your business. And if your business goes down for a period of time, how much money you're in that business to ensure that assets stays up and productive. 21:22 Right. I mean, especially on the industrial control, sir. I mean, I think the keep the operation from running as a big critical issue, and the safety and reliability of the system. I mean, those are probably two of the most important, especially on the industrial side of things. 21:41 Last question, and this is with the number six, that regulation and compliance. How is Trend Micro sort of leading the way because just like anything else, whatever comes out of Washington might be some sort of, you know, sketch, but it requires companies and organizations like Trend Micro yourself and professionals to be able to say, oh, what do you guys do in there to help businesses understand that regulatory and compliance edict? 22:15 Well, there are a couple things that we are doing, especially when you have, you know, regulation and compliance like this, you know, out of, you know, say, DC write a couple things I want, you know, we work with our partners, right, try to truly understand what are the requests? And what are the guideline from the orders, and then we will work with this partner to understand that and try to write requirements and plan to address some of these, you know, you know, requiring so for example, that requirement actually came, and I think the reason is deco came in, and I think they requested for like Sisa, right, or, you know, some organization to come up with some kind of best practice, right? And in there, there are some recommendations about, okay, what type of security controller you need to put up in place to address this particular issue or challenge, right, and they will provide that recommendation, right. And then we, as a security provider, we actually come in, and we say, all right, for, let's say, activity, A and B, right, we have this type of security control that address those two, you know, requirement, you know, stuff like that. So, that's what we've been working on. And, you know, working with our partners to do that. The other thing is that we're also actively basis basically tried to understand exactly what each of those, you know, a day requirement coming from, you know, to the government, right, and, you know, we will work with that our product development organization to make sure that all security solutions are designed in such that will address some of this concern, right. So, you know, one of the big things they talk about on critical infrastructure is what I bought, like some of the SCADA system and how do you lock down somebody's system, right, well, how do you protect somebody's system? Well, and now we basically tried to figure out what the best way to lock down and say, Hmm, machine running, you know, Windows XP, right? Well, there's a couple ways one, you could, you know, put a lockdown solution that you can actually like down the system, make sure that nothing can be you know, compromised or nothing can be run on that system. Because typically the system designed such that only Allah type applications run as you can do that, that's only a first step in helping the customer or to adjust them this executive order is, um, this requirement. So those are spirit thing that we are doing in terms of these orders. Is there going to be a validation that they comply with the guidelines, the new guidelines, the executive orders? Well, I haven't see any enforcement yet, right? I mean, I think today, most of those guidelines are more of a guideline and make sure that organization or start to put some of these in place, especially if it wasn't as critical infrastructure. They're affecting, you know, I think our economy, right, so those are guidelines. I don't know, if you know, when that's gonna become, you know, something that will be enforced. You know, I think there are certain verticals, you know, I think they may, right, need to be enforced, right? To make sure, you know, organizations start to implement, you know, for example, like Les Paul in water, right. Energy, right. Those are, you know, critical infrastructure, you know, that it can only copy. So, by this for now, I think that there isn't any, you know, enforcement yet. It's more of a guideline. 25:53 All right, let's summarize this incredible conversation. We've got six key points, lack of domain knowledge, these are business challenges, it ot convergence, they need to collaborate, need to have that that desire to look at your business holistically, legacy liabilities, of course, that is a big important component. But there's ways of being able to lock down that we're looking at the pursuit of economics versus the cyber side. But that has got to be done at the beginning of this conversation, which then rolls into the ROI, because you don't want your asset to be sort of just sitting there falling apart because of being compromised. And the last one, of course, is regulatory regulation, compliance, and of course, the new guidelines. Did we leave anything else out? All right. All right. Well, I know so good. Yeah. Yes. Okay. Well, thank you, Richard. That's an incredible, incredible value for the listeners out there. Let's put it this way. If you're in the world of digital transformation, if your business is going down that, that avenue, you need cybersecurity, whether you like it or not, and that conversation has to happen at the beginning. And you're going to have to figure out what your legacy systems are your legacy liabilities, and, and address those as well. So that your asset is up and running and doing what it needs to do. All right, Richard, thank you very much. Thank you, Scott. All right, we're gonna also have all his contact information, if you want to connect with him, which I highly recommend. It'll all be out on industrial talk.com. You're listening to the industrial talk, Podcast Network. 27:50 Alright, this is, once again, podcast number two in our cybersecurity, love best, whatever you want to call it, because you need it. Because you need to be engaged in your digital transformation journey, everything that's associated with that. And cybersecurity has to be at the very top of that conversation. All right, if you have not, you got to find out about podcast number one, it's out on industrial talk.com. Again, because cybersecurity is so doggone important. We've got an event. It's out there it is covering all time zones, right? So it's June 15, and June 16, depending on where you're at. But I've got the link out there on industrial talk comm so fair not find the place that you're, you're at, and it's going to be featuring Eva Chen, and she is the co founder and CEO of micro trend, micro very important, very important conversation. All right. Be bold, be brave, dare greatly hang out with people who are bold and brave and daring greatly and you will change the world. We're gonna have another great cybersecurity podcast right around the corner. So stay tuned.