Dive into the world of manufacturing cybersecurity with an insightful podcast episode featuring Ashley McGlone, a seasoned technology strategist from Tanium. Join your host, Luigi Tiano, as he engages in a riveting conversation with Ashley, unraveling the complexities of Industry 4.0, IoT, and the critical role of cybersecurity in the manufacturing landscape.

In this episode, Ashley shares his wealth of expertise, drawing on decades of experience in the tech industry, including roles at Microsoft, Toyota, and his current tenure at Tanium. The duo delves into the challenges posed by the convergence of IT and OT, exploring the unique cybersecurity concerns faced by manufacturing companies in an era of increased connectivity and automation.

Discover the significance of standards like ISA 62443 and the Purdue model in structuring cybersecurity practices for manufacturing environments. Luigi and Ashley explore the pressing need for visibility and control in OT environments, shedding light on the evolving trends and the potential risks associated with cloud integration.

As the conversation unfolds, Ashley provides valuable insights into the diverse mix of devices in manufacturing and how strategic platform partnerships can be the key to effective cybersecurity. The duo navigates the landscape of resources available for companies venturing into cybersecurity enhancements, with a special spotlight on the SANS Institute's industrial controls training.

Resources: 

Watch the episode: https://youtu.be/1u6Ot5s-sXI

Ashley's LinkedIn: https://www.linkedin.com/in/ashleymcglone/

Tanium's website: https://www.tanium.com/

Luigi Tiano’s LinkedIn: https://www.linkedin.com/in/luigitiano/

Assurance IT Website: http://www.assuranceit.ca/

About Ashley McGlone: 

Ashley McGlone has spent his life in IT. Between recordings of Tanium Tech Talks he enjoys advocating for customers, getting in the weeds of tech, and savoring a particular retro variety of red licorice. In his role as Technology Strategist he researches and creates vertical-specific guidance for customers to maximize their Tanium experience. He also is a megaphone for customer feedback to the Tanium product teams. As a frequent conference speaker he's always looking for opportunities to share the "Wow Tanium" experience with new audiences. Message him just to say hi or to talk Tanium and tech.

About 10 Questions to Cyber Resilience: 

Twice per month, learn about how IT leaders are strengthening their cyber security practices. Every episode comprises of 10 questions that get you one step closer to cyber resilience. Subscribe to stay up-to-date with hot topics in cyber security. 

About Assurance IT: 

Assurance IT (www.assuranceit.ca) specializes in data protection and data privacy for the mid-market in Canada, since 2011. The Montreal-based company’s unique approach to helping customers become cyber resilient is called the PPR Methodology which stands for Prepare, Protect and Recover. Based on industry best practices, the PPR Methodology is an easier way to achieve cyber security and compliance objectives.

All right.

Good morning everyone.

Good day.

Today I've got Ashley McGlone from

Tanium with me in the podcast.

I had the opportunity to talk

with one of his colleagues

a couple days ago, and we

talked about specifically

manufacturing and cybersecurity

in the manufacturing field.

So without further ado, I'm gonna

ask Ashley to introduce himself.

What his expertise is, where he

is working today what he likes

to do on a day-to-day basis.

And then we'll start from there.

Thanks for

having me on the show, Luigi.

This is a lot of fun.

Been looking forward to it.

Yeah.

I'm Ashley McGlone.

I'm a technology strategist

in our manufacturing segment.

So I've spent the last few

years here in this part of my

tenure at Tanium, focusing on

manufacturing customers and where

Tanium is relevant to them on

the factory floor, helping them

with visibility and control.

I've been here at Tanium

five and a half years.

Before that, I was with

Microsoft for about eight years.

Before that, Toyota

for about eight years.

And if you go all the way

back, I started with Commodore

in 1982, so I've been doing

technology for four decades now.

Wow.

Impressive.

Impressive.

I'm sure the time at Toyota

helped build your knowledge with

regards to manufacturing there.

Obviously manufacturing has

become a huge, fundamental

piece of our ecosystem.

It's really integral

into everything.

What we're seeing and more so now

is that manufacturing companies,

like it or not, have become huge

attack surfaces for bad actors.

There's so much technology

that's being integrated

on a day-to-day basis.

I know you're very tactical

in your day-to-day.

Can you define some

of the terms we hear?

Some of the people listening

to the podcast may or may

not know what the terms are.

We talk about IT, we talk about

I o T, we talk about OT, I I

o T, maybe give us an overview

of what all that's about.

There's a lot

of i's and o's and t's in there.

Let's sort 'em out.

So IT, that's what a

lot of us do every day.

That's our typical

corporate infrastructure.

Sometimes they like to separate it

between the carpet and the paint

or the carpet and the concrete.

So the carpet is the

office, that's IT.

The concrete is the OT.

That's your industrial environment.

Operating technology is

what that stands for.

It could be the dials that

turn the chlorine balance

in a water treatment plant.

Those types of industrial

equipment type environments,

that's the operating technology

that makes the physical.

It's a cyber physical interface

between this technology is gonna

control a physical process.

That's the operating technology.

Then IOT is internet

of things, obviously.

That can be anything

from IP cameras to...

At one customer, they had

vulnerable Amazon Firesticks

in their presentation

TVs and conference rooms.

So it could be any internet

connected device that's not

traditionally manageable like that.

Then IoT and a lot of different

verticals, like medical,

have their own IoT flavor.

So industrial IoT then instead

of IoMT like medical and every

vertical's got their own iot.

An industrial IoT is often

looped in with Industry 4.0,

which is the latest revolution

of plant floor technology,

of which involves things like

5G for wireless connectivity,

especially in more rugged or

network challenged environments.

You've got those same IoT type

technologies, but in the plant

space used for manufacturing

or industrial control purposes.

Often, you'll see as well a gateway

device where now the legacy devices

that were previously not connected

to the internet have a gateway

to get out to cloud services.

It's really a game changer.

It blows my mind.

When you think about mission

critical plant floor systems that

are now connected to the cloud,

taking on that big dependency

for another point of failure.

So there's a lot of concern

for a lot of traditional

manufacturing folks.

Do we go that path or not?

But that's the whole gamut from

IT, OT, Io T there you go.

Okay.

So you really went

deep dive in there.

I appreciate that.

You mentioned Industry 4.0.

Let me just double click on that.

So Industry 4.0, is that a

standard or kind of a terminology

that we're using to augment

or increase the efficiency or

automation in a plant floor?

How do you describe

that specifically?

Personally,

I'm not sure that it's a

standard necessarily, but I

think it's a bucket phrase

that captures a lot of that.

I'm sure there are people

that could go into the

line items and explain why

it's different than 3.0.

That's technology, right?

You got 1, 2, 3, 4.

This is the latest iteration,

which includes cloud connectivity

on the plant floor systems.

You mentioned

something really important there.

The gateway into cloud management.

Traditional PLCs or

traditional plant floor

technology would typically

not have any external access.

And I think that gateway now,

as much as it's creating that

operational efficiency or

automation and that layer of

management, I think that's where,

correct me if I'm wrong, is

that where that gateway brings

in also the security concern?

Yes, if

you're exposing devices to

the internet that are on

a plant floor, obviously

that's gonna be a concern.

These days, everybody knows better

than directly exposing devices

to the internet, I would hope.

But even just typical Windows

and Linux boxes that are sitting

there beside the line controlling

a machine in the assembly process

of manufacturing, for example.

Those machines are still there,

still running old operating

systems and still vulnerable.

That's a good point.

You're right.

We often forget that.

We put the box in the corner, it's

got the same password for the last

12 years, hasn't been updated or

patched or anything like that.

And it's kinda just

running the old system.

Those present obviously big

vulnerabilities in a plant floor.

Some people

call that IT / OT convergence.

Some people say, oh, that

happened years ago, as soon as

we put a PC on the plant floor.

Other people say it's

still converging.

You've got windows and Linux

devices typically usually on

older flavors of the operating

system, often not up to date,

that are put on the controlling,

mission critical processes,

that are time sensitive and,

sometimes attached to millions

of dollars of pieces of equipment

that are very sensitive.

So it's not your IT

environment at all.

What we hear often is that, if

you try to take IT processes

and just copy paste into the

OT environment, you're gonna

break things right off the bat.

When you think about this

mindset change between IT and OT.

In IT, we're concerned about

confidentiality, integrity,

authenticity, and the CIA triad.

But on the plant floor, the

number one concern is human

safety and that trumps everything.

So it really is a different

place to operate technology.

Absolutely.

I think that's always been

the biggest challenge.

Like you mentioned, merging

those two mindsets together.

The technology is one thing,

but the mindset is really.

And you're right, safety

should never be overlooked,

a hundred percent.

To go back to what you said,

if anyone's ever been on a

plant floor, you've seen that

PC that's got Four inches of

dust on the keyboard and four

inches of dust on the monitor.

And it's never been touched,

never been clean, but it's

just rock solid and working.

So we don't touch it.

Let me double click on

the next question, which

is all about visibility.

We talk about a lot of

manufacturing customers, about

visibility and control of

their OT environments, right?

So what are you hearing as

trends in that specific space?

As much as

we would like to think that

this is the year, 2023 and

everybody's all wired up, digital

transformation's complete.

I talk to a lot of smaller

manufacturers and suppliers who are

literally just now getting started.

I've had even larger manufacturers

tell me; if we had a ransomware

event in the plant, we have

a spreadsheet from five years

ago with our asset inventory.

And we all know that's

just not going to work.

Unfortunately, a lot of people

are still just getting started.

And I think what's happening

is, let's say you work with

automotive and you've got a

top tier automotive company.

That OEM that's supplying the

federal government in the US.

So now there's CMMC Cybersecurity

Maturity Model Certification.

It's now at 2.0 getting

ready to be effective here

within the next couple years.

Then all of a sudden, now you

find yourself maybe you're not a

tier one supplier to that auto.

Maybe you're a tier

two, tier three.

All of a sudden, depending

on how close you are, what

you're supplying, you could

be susceptible to compliance

for US federal government.

Or if you're in Europe, maybe it's

Tisax or NIST two or maybe it's

in US, the White House executive

orders around cybersecurity.

All of a sudden there's

this really big regulatory

compliance landscape.

Now, standards have been around

for years, but it's this regulatory

compliance that's forcing

people to take a look because

manufacturing is, unfortunately

increasingly in the headlines

with ransomware, malware and

ransomware malware targeted

at manufacturing specifically.

There was a headline a couple

years ago where there was

ransomware that was looking

at over 60 windows executables

running on the line side, and

it would kill those processes

before it ransomed the box.

So it was specifically

targeted manufacturing.

That's got a lot of people

concerned obviously.

A lot of people are just getting

started and they don't have the

basic inventory visibility into

what are my devices, whether

they're Windows, Linux, or those

lower tier PLC sensor type devices.

Visibility really is the

first place to start.

And what I find is a lot

of people are evaluating

software solutions there.

They're looking for things

that can inventory those

devices on the plant floor.

If I started naming vendors because

there are dozens of vendors in

that space now who are helping

to provide that visibility.

At the risk of going too

long on this answer, I'll

also say another big concern

is staffing and skillset.

I was gonna say that.

That's always been a

challenge in manufacturing.

Traditional, non IT environments.

It's about operations, it's

about efficiency, it's about

automation and safety, of

course, but technology's kind

of always taken a backseat,

and correct me if I'm wrong.

There's people

that design these processes and

they've used technology for years,

but security wasn't a concern

because they weren't exposed to

the internet, like they are now.

So you've got skillsets in

traditional industrial environments

that are having to either learn

new skills or you have IT people

coming in telling them what to do.

Then the production

engineering folks are

saying, now, wait a minute.

It doesn't work that way here.

You've got this hybridized

skillset between a cybersecurity

mindset coming into a

manufacturing environment.

So that really is a critical

skillset to have now is having

a security mind and an OT mind,

so you can bring those together

and doing it in a safe way.

Sounds like it's

not an easy skill set to find,

based on what I've just heard.

Yeah.

The cyber field as a whole.

I've heard stats, you get different

numbers, like millions of openings

that'll go unfilled, right?

And then when you get into niche

areas like this, where it's a

hybrid of IT and OT coming together

with cyber in the skillset,

it is a niche skillset area.

What a lot of companies are going

to end up doing because they

can't afford a senior person in

that space, cuz manufacturing

budgets are always tight,

especially when it comes to

staffing for something like this.

A lot of times you're going to

hire people straight out of college

and there's gonna be a lot of O

J T a lot of on-the-job training.

There's some resources

I'll talk about later that

can really help with that.

Yeah,

that's very good.

Before we move on to the next

question, anything else you

wanna say about visibility in

OT environments or you wanna,

we can circle back at the end?

I think

I'm good on there for now.

All right.

All right.

So you mentioned a lot of

companies are just getting started.

So if you've seen this, you've

obviously lived this through

conversations with your clients.

How does a company get started?

If you're a manufacturing

company, just listening to

this podcast at random, how

does the company get started?

Where do they look,

what do they do?

Number one,

you're not alone, especially if

you're in the smaller tier space.

There are a lot of bigger companies

who have already walked this path.

They've crafted best practices.

They put that into guidance.

You may have heard of the

Purdue model for the structuring

of systems in manufacturing

or industrial environment.

You take another layer to the I S

A I E C, more alphabet here, 6 2

4 43 and we'll have links in the

show notes for folks to this stuff.

But ISA 6 2 4 43 is the

international standard for

cybersecurity practices in

a manufacturing environment.

It's gonna help you

categorize and sort through.

If I'm just staring at I-beams

and network cables and equipment,

how do I make sense of this?

Where do I draw the lines virtually

for, how do I organize this

into an actual cyber strategy

for my industrial environment?

So it's gonna have a five

layer stack that goes from top

traditional kind of IT systems,

running Windows and Linux and

such, all the way down to those

lower tier devices that are

running some type of firmware

maybe that you need to monitor

or maybe it's just a dial that's

controlling something all the way

down the sensors and actuators.

They've carved that out.

They've identified, okay,

here's the vocabulary you

even used to talk about it.

I've got a security level

target that I want to get to.

Here's the security level

capability of what we can do today.

Then that gives us this

gap that we need to close

and zones and conduits.

Here are machines that are

going to be compensating

controls, we can't update them.

So they're gonna get firewalled

or air gaped over here.

That's a zone.

Then a conduit's that network

connection coming in and

out of there for firewall

connections, so to speak.

You've got network segmentation

between the carpet and the cement.

So between IT and OT, making

sure you've got the right

firewalls in place and if Mary

in accounting clicks a phishing

link, it doesn't take down

manufacturing and vice versa.

There's a lot here and

there's a lot of precedent.

If you're just getting started,

there's a lot of resources

available to help you.

There's a deep bench with

consulting practices and providers

like yourself who have done

work in this space, who can

really help people first off

to get oriented and that's what

I've noticed a lot of the calls

that I've had even recently is

just helping people understand

where do I take that first step?

Yeah and

these standards, I'll

just say numbers again.

So ISA i e c 6 2 4 43.

I think these international

standards force both the IT and

the OT folks, so you said process

engineer first to work together

and merge those processes.

As much as they are different, I

think these standards are extremely

important and should be adopted

obviously by these organizations

because if there's a skillset

gap from a process wise, this

forces them to work together.

So we're seeing this

across the board.

I'm glad you brought that up

because I think it's important

that individuals know this.

The standard, obviously

you're well-versed in it.

Is this something you get to

stamp once and then you have

yearly checks or do you know

how long this standard would

last within an organization?

In the realm

of regulations, compliance,

attestations, this is just a

standard that's a recommendation

that you should align to.

I would say that it's not enforced,

but when things like we're seeing

in EMEA right now with the Nist 2

is actually coming in and putting

teeth to some of this to actually

enforce it and putting penalties

there where there weren't, before.

For the last 20 years, ISA

62443 has just been a standard.

Hey, this is a good

way to think about it.

The design and framework

give the industry a common

vocabulary and put training

and resources behind it.

Yeah it's actually got a little

more legs now, with the headlines

over the last few years.

Just to touch

on that, when we talk about

regulatory compliance for us as an

organization, especially when we're

talking with clients, when you

abide by or conform to a specific

standard, you earn the right to

do business with more partners.

If you don't have the controls

in place, that's fine.

But if you want to continue to

conduct business with certain

entities, you're gonna be required

to show that you actually meet

a certain level of standards.

Whether it's enforced legally

or not, I think more and more

companies are just gonna abide by

a specific standard cause they want

to continue to do business or earn

the right with certain enterprises

that they once could not do that.

You're

describing supply chain risk.

There you go.

And that is top

of mind for everybody right now.

I remember when I used to work

for Toyota, for example, the

automotive seat supplier, the

seats would come in off the semi

truck in the order that cars were

going down the assembly line.

If that seat supplier then had

a cyber breach, even if there's

nothing cyber in the seat itself,

if they were victim to ransomware

and that supply paused, it would

pause the cars going down the line.

Even if you make wiring harnesses

that have no embedded technology.

If you can't supply those

because you've been breached,

you're gonna impact all

your supply chain partners.

So whether or not you think

it applies to you, it does.

Exactly.

Got another question here

about OT environments.

We see such a diverse

mix of devices.

How do you manage all those types

of devices with one solution?

Is it even possible?

It's not, no.

I tell you the more people I talk

to, whether it's partners, other

vendors prospects and customers

in this space, everybody's

looking for a silver bullet.

There is no one software solution

that's gonna give you that

ultimate visibility control

from one end to the other.

Today, it doesn't exist.

What you will find though,

is what I prefer to call

strategic platform partnerships.

Now, don't get me wrong.

There are some companies out there

that say, yeah, we do IT, and OT.

But you've gotta dig a little

deeper below the marketing

messaging and say, okay, what

exactly do you do in IT and OT?

Maybe you only scan for

vulnerabilities and that's it.

It doesn't stop there.

I need to fix those

vulnerabilities, right?

I need to enforce policy

on those works stations.

I got Windows and Linux that

I need to manage firewall and

disc encryption and things

like that, on the plant floor.

It goes beyond just a narrow

feature matrix to actually a broad

set of full manageability for

the plant floor from IT and OT

and where that convergence meets.

What I'm seeing today is as I

talk to people who are in this

starting process, they are actively

investigating vendors that do

like port spanning on the network.

There's dozens of vendors in this

space that'll listen and find those

devices passively on the network.

Then there's need for some

active scanning as well, cuz

some of those devices will never

initiate a network connection.

Then you've got your traditional

distributed control systems

vendors like Siemens and

Rockwell and Honeywell and GE.

I could name those for a while.

You've got all those

vendors who have their own

cybersecurity practices as well.

What I typically recommend,

you know what we do is helping

people with visibility on

the top tier of that model.

So the Windows and Linux

devices, we can give you all

the capability you need there.

Let's take that and use some

common backend like Splunk or

ServiceNow or Microsoft Sentinel.

Some type of sim source

solution, C M D B.

Let's take all that Tanium data,

put it in there, and then take

your other solutions in this space

that most of them are already

pre-wired for ServiceNow or

Splunk, something on the backend.

Then, use that backend for that

end-to-end visibility and control

for your IT OT SOC experience.

Interesting.

So what I heard was, form a

strategic platform of partnerships.

Make sure you've got a bunch

of partners that can then

fill those needs cuz there's

just no silver bullet.

So the benefit

there is, rather than having

a dozen solutions with a dozen

integration points in this matrix

of integrations, you can really

optimize that down to just a

few strategic integrations,

which is gonna make it easier

to maintain in the long term.

Got it.

Very good.

One last question cuz then

I wanna talk a little bit

about what you do and maybe

how your platform could help.

You've mentioned a lot of things

here and obviously I wanna give

you the time to talk about that.

What resources are available

to help companies today?

We talked about how

they get started.

Obviously a bunch of stuff online,

but what would you recommend?

There's

always the free and easy

Wikipedia and YouTube, right?

You can learn anything on

Wikipedia and YouTube and there's

a ton of open, stuff like that.

But if you're willing to invest,

even just looking at the open,

free resources, I would go

straight to the SANS Institute.

SANS has been around for years and

everybody knows them as the source

of trusted security training.

SANS has a whole program for

industrial controls, SANS ICS.

S A N S I C S.

Just put that in your search

engine and we've got some links

in the show notes here as well.

We're definitely gonna

share a lot of that information.

You sent me some stuff for

the show here, which is great.

Yeah,

they've got an I C S guide.

Industrial controls guide for

recommended controls to start.

Things about having an

incident response plan.

Sure we have one of those for

IT, but do you have it for

your industrial environment?

Just knowing who to call,

where do I get my inventory?

Where are all the firewalls?

And who's controlling those things?

Having that incident response

plan, a defensible architecture,

network visibility monitoring,

secure remote access, and then

even risk based vulnerability

management, which prioritizes

not just saying, here's all the

volumes, but here's the ones that

are prioritized for our equipment

with our environment where we

know that they are exposed.

They have a really good guide

that you can download for

free just to get started.

But they have a whole

suite of courses.

And I'm not compensated for

this either, by the way.

Just I've seen that they have

some fantastic instructors who

are writing, designing, living

this every day, getting real

world training out there to

the people that need it most.

Even if you're taking somebody

off the street without this kind

of background in their portfolio,

you can send them to these

classes, get them some hands

on with this technology and get

'em trained up and ready to go.

Even if you're not

getting compensated, I think you've

obviously demonstrated a wealth

of knowledge in this industry.

So if you're saying SANS ICS

is a good place to start,

that's where I would start.

Thanks for that, Ashley.

Before we wrap, obviously,

you work at Tanium.

I see the background there.

Maybe just tell us a little

bit about how Tanium could

help an organization.

You've shared time with

us and I appreciate that.

So I need to give you some

time to tell us how Tanium

could potentially help.

Sure.

Tanium is a real-time endpoint

management platform for visibility

and control at speed and scale,

all those marketing terms, right?

But basically what that means is

we have a unique architecture that

allows us literally in seconds to

get information from any system.

Windows, Mac, Linux, even Solaris,

and AIX that has an ip, it's

connected, it's on the network.

We can get that real time

visibility of your environment.

If you're wanting to know what are

all the machines in my working from

home, office area, on the plant

floor, as long as it's running one

of those OSs and it's got an ip,

it's got Tanium client installed,

then we can get you the richest

data you've ever seen in real time.

So we can scan for vulnerabilities,

we can patch, we can manage policy,

we can do threat detection and

response, and a whole list of

capabilities that gives you a very

wide feature matrix to manage the

top half of that OT stack, right?

Where you've got windows and

Linux machines out there that are

running what matters most to you.

I've had customers tell us,

when they put traditional

IT tools in there, they need

multiple tools to do that.

It's a performance hit on

the endpoint, but Tanium's

a single agent that

covers multiple tool sets.

With that platform approach then,

you can reduce the impact on often

under-resourced hardware profiles

on these manufacturing machines.

We've seen some real benefit

there as well as the actual

technology, what we're doing to

manage and secure that environment.

Fantastic.

So it's all about visibility and

knowing what you own, because

you can't really protect if

you don't know you own it.

Exactly.

I know it's

cliche and we say it often,

but it's the fundamental truth.

If you don't know what exists

on your network then, how do

you know how to protect it or

mitigate the risk on those devices.

Ashley, I've learned a ton.

I'm sure the audience

is gonna love this.

We will be sharing a lot of

the links that you've sent us.

Before we go, anything else

you want to add because you've

given us a lot of your time

here and a lot of information.

If you got nothing else, I

just want to thank you and say,

hopefully we can do this again.

I'll close off with that.

Thanks

for the opportunity to

come on the show, Luigi.

I just wanna offer a word

of encouragement because

typically IT and OT are

separate silos in the business.

Only a few places where they're

actually integrated with a

common vision, common governance.

It takes work to get

there and it's worth it.

Your business depends on it.

Your livelihood, your family

that you support with the income

that you make at your employer.

You want to keep that secure for

your own interest, but also for

the business and for all the people

that are served by that business.

It really is worth the effort

to spend the time and to do

the research and to get your

program started, if you don't

have one because security

is not an option here.

Time is now.

You gotta get started.

Ashley, it's been a pleasure.

Thank you very much.

Hope to talk to you again soon.

Take care.

Thank you.

Bye-bye.