WEBVTT 1 00:00:00.480 --> 00:00:03.330 Anna Delaney: Hello, and welcome to Proof of Concept, the ISMG 2 00:00:03.330 --> 00:00:06.060 talk show where we discuss today's and tomorrow's 3 00:00:06.090 --> 00:00:09.930 cybersecurity challenges with experts in the field, and how we 4 00:00:09.930 --> 00:00:12.960 can potentially solve them. We are your hosts. I'm Anna 5 00:00:12.960 --> 00:00:15.600 Delaney, director of productions here at ISMG. 6 00:00:16.140 --> 00:00:18.150 Tom Field: I'm Tom field. I'm senior vice president of 7 00:00:18.150 --> 00:00:20.850 editorial at Information Security Media Group. And Anna, 8 00:00:20.850 --> 00:00:22.320 it's been a while. Very good to see you. 9 00:00:22.830 --> 00:00:25.020 Anna Delaney: So good to see you. Tom, how have you been? 10 00:00:25.020 --> 00:00:28.710 Tom Field: I'm well. We've both been busy traveling and paying 11 00:00:28.710 --> 00:00:31.020 attention to different events, summits and roundtables. But I 12 00:00:31.020 --> 00:00:35.070 wonder, have you been paying attention on LinkedIn to all the 13 00:00:35.070 --> 00:00:37.110 different notifications? And when we hear about the great 14 00:00:37.110 --> 00:00:41.040 resignation, all I ever see when I go on LinkedIn now is virtual 15 00:00:41.040 --> 00:00:43.680 confetti and balloons as people are starting new roles. 16 00:00:43.000 --> 00:00:47.110 Anna Delaney: Yes, I have been using the like button and the 17 00:00:47.170 --> 00:00:51.220 congratulations button a lot as of late, and you're right. Is 18 00:00:51.220 --> 00:00:55.240 this symptomatic of post COVID times or are there just many 19 00:00:55.240 --> 00:00:56.710 more jobs in the market? 20 00:00:57.080 --> 00:00:58.790 Tom Field: Opportunities. I think there are terrific 21 00:00:58.790 --> 00:01:00.680 opportunities. And one thing that we've, you know, we've 22 00:01:00.920 --> 00:01:04.550 certainly talked about plenty of times on this show is that the 23 00:01:04.550 --> 00:01:07.760 concerns that we're all dealing with in cybersecurity aren't 24 00:01:07.760 --> 00:01:12.320 going away. They're growing. And so, the need for cybersecurity 25 00:01:12.320 --> 00:01:14.930 leadership isn't going to diminish. In fact, those 26 00:01:14.930 --> 00:01:17.600 opportunities are growing. Oddly enough, that ties into our 27 00:01:17.600 --> 00:01:18.590 conversation today. 28 00:01:19.910 --> 00:01:24.200 Anna Delaney: Indeed, we have a leader join us as our special 29 00:01:24.200 --> 00:01:26.990 guest, who is ... why don't you introduce her, Tom? 30 00:01:26.990 --> 00:01:29.780 Tom Field: Well, she's had a lot of confetti and a lot of 31 00:01:29.780 --> 00:01:32.660 balloons on LinkedIn. You may have known her as the CISO of 32 00:01:32.660 --> 00:01:36.140 Baxter International. You and I met her when she was the CISO 33 00:01:36.140 --> 00:01:39.890 with Carrier and she is now the CISO with Rockwell Automation. 34 00:01:39.890 --> 00:01:44.300 Please welcome our friend, Nicole Darden Ford. 35 00:01:44.780 --> 00:01:47.480 Nicole Darden Ford: Hi, how are you guys doing? Nice to see you 36 00:01:47.480 --> 00:01:47.960 again. 37 00:01:48.140 --> 00:01:50.360 Tom Field: Doing very well. It's good to see you. Nicole, how are 38 00:01:50.360 --> 00:01:53.000 you finding your new role so far? It's been, what I'm gonna 39 00:01:53.000 --> 00:01:54.110 say four to six months. 40 00:01:54.710 --> 00:01:58.220 Nicole Darden Ford: It's been six months. And it's been really 41 00:01:58.220 --> 00:02:02.570 awesome, great ride, learning so much, meeting with clients and 42 00:02:02.570 --> 00:02:07.160 customers about their OT challenges and really just 43 00:02:07.160 --> 00:02:08.600 getting to know this industry. 44 00:02:09.890 --> 00:02:12.140 Anna Delaney: And I know it's early days, Nicole, but what are 45 00:02:12.140 --> 00:02:15.470 you hoping to achieve for Rockwell and the wider OT 46 00:02:15.680 --> 00:02:16.490 community? 47 00:02:17.560 --> 00:02:19.930 Nicole Darden Ford: Well, I'm hoping to get the word out and 48 00:02:19.930 --> 00:02:24.040 amplify the messaging of the importance of cybersecurity in 49 00:02:24.040 --> 00:02:27.100 the OT space. I think it's really important that we 50 00:02:27.100 --> 00:02:31.390 continue to send the best message possible to our 51 00:02:31.390 --> 00:02:34.900 customers about things that they can do to protect their OT 52 00:02:34.900 --> 00:02:35.800 environments. 53 00:02:37.300 --> 00:02:39.130 Tom Field: Great topic. I'm glad you brought up. I'm sorry, I 54 00:02:39.130 --> 00:02:40.120 didn't want to cut you off. 55 00:02:40.150 --> 00:02:43.960 Anna Delaney: No, I was going to say you have a report out and 56 00:02:44.170 --> 00:02:45.250 Tom take it away. 57 00:02:45.430 --> 00:02:49.300 Tom Field: Indeed. Really interested in the 2022 critical 58 00:02:49.300 --> 00:02:52.270 infrastructure research report. We'd love to discuss some of the 59 00:02:52.270 --> 00:02:55.570 highlights. So if I can, you've had a chance to review the 60 00:02:55.570 --> 00:02:59.860 material. What surprised you most in the research that was 61 00:02:59.860 --> 00:03:00.490 conducted? 62 00:03:01.290 --> 00:03:03.150 Nicole Darden Ford: What surprised me most in the 63 00:03:03.150 --> 00:03:08.880 research was that I read that 73% of the surveyed critical 64 00:03:08.880 --> 00:03:12.270 infrastructure organizations said they experienced cyber 65 00:03:12.270 --> 00:03:16.860 breaches. What a large number! It tells us that we should be 66 00:03:16.860 --> 00:03:20.460 paying very close attention to our preparedness, so that we can 67 00:03:20.460 --> 00:03:23.520 effectively mitigate threats before they ever become 68 00:03:23.520 --> 00:03:24.210 breaches. 69 00:03:25.090 --> 00:03:28.780 Tom Field: So, devil's advocate. Are all breaches preventable? 70 00:03:30.100 --> 00:03:33.910 Nicole Darden Ford: No, but a large number are preventable. 71 00:03:34.150 --> 00:03:37.870 About 80% of breaches use entry points that are already known 72 00:03:37.870 --> 00:03:41.590 and can be solved for. The tools and processes already exist. 73 00:03:41.980 --> 00:03:46.630 Let's take patching, for example. Research shows that 66% 74 00:03:46.900 --> 00:03:52.300 don't have an effective OT patching strategy in place. Like 75 00:03:52.300 --> 00:03:57.160 we saw with the Coronavirus, the longer a virus, or an exploit in 76 00:03:57.160 --> 00:04:00.130 this case, is out there, the more it evolves. And we don't 77 00:04:00.130 --> 00:04:04.540 want to allow cyber attackers to have access, easy access and 78 00:04:04.540 --> 00:04:08.230 time to get better at exploiting gaps. We need to stop them 79 00:04:08.230 --> 00:04:12.640 before they inflict greater harm and damage in OT spaces. 80 00:04:12.000 --> 00:04:15.570 Anna Delaney: So, Nicole, you mentioned the lack of OT 81 00:04:15.570 --> 00:04:18.720 patching. Why do you think companies hesitate on more 82 00:04:18.840 --> 00:04:21.840 obvious protections just like OT patching? 83 00:04:22.860 --> 00:04:25.830 Nicole Darden Ford: It's just hard to do. It's not like on the 84 00:04:25.830 --> 00:04:29.430 IT side, where you're taking a server down. Quickly, you're 85 00:04:29.430 --> 00:04:32.040 patching it and you're rebooting it in a couple of minutes and 86 00:04:32.040 --> 00:04:35.190 you're back up and running. You're taking production 87 00:04:35.220 --> 00:04:38.820 offline, which is a high cost for most organizations. I mean, 88 00:04:38.820 --> 00:04:42.000 think about it. When you take down a production line, they're 89 00:04:42.000 --> 00:04:46.050 no longer able to produce product. So that's a big 90 00:04:46.050 --> 00:04:49.650 concern. Sometimes it's a budgeting problem. In that case, 91 00:04:49.650 --> 00:04:52.950 business leaders don't have an accurate picture of their risk 92 00:04:52.980 --> 00:04:56.760 or probable costs. And we see cyber insurance companies will 93 00:04:56.760 --> 00:05:01.830 make that clear as soon as their rates arise due to a lack of 94 00:05:01.830 --> 00:05:06.960 security protections. Also, many legacy PLCs and production 95 00:05:06.960 --> 00:05:10.920 assets can't be directly configured using modern 96 00:05:10.920 --> 00:05:15.030 cybersecurity tooling. There are ways to solve this. And here at 97 00:05:15.030 --> 00:05:19.110 Rockwell, we do it all the time. It may involve upgrading some 98 00:05:19.110 --> 00:05:23.160 equipment. It could involve virtualization, which we've set 99 00:05:23.160 --> 00:05:27.300 up for several clients. The key message is it's possible, it can 100 00:05:27.300 --> 00:05:29.850 be done, and it has to be done. 101 00:05:31.470 --> 00:05:34.200 Anna Delaney: Moving to another cybersecurity preparedness 102 00:05:34.200 --> 00:05:39.360 factor, performing network asset inventories. Now, 45% said this 103 00:05:39.360 --> 00:05:43.560 step is happening quarterly or less often. So what should be 104 00:05:43.560 --> 00:05:44.910 happening instead, Nicole? 105 00:05:45.680 --> 00:05:47.960 Nicole Darden Ford: It depends on the industry. In most cases, 106 00:05:47.960 --> 00:05:51.950 we recommend no less than quarterly, right? That means 107 00:05:51.950 --> 00:05:57.170 that if we can get organizations to consistently inventory 108 00:05:57.440 --> 00:06:01.790 quarterly, and sometimes they can go biweekly, which makes the 109 00:06:01.790 --> 00:06:06.620 most sense for the organization. In fact, many of our clients are 110 00:06:06.620 --> 00:06:10.490 moving to real-time asset inventory. We can automate this 111 00:06:10.490 --> 00:06:15.110 process, so it's generally painless for organizations, and 112 00:06:15.110 --> 00:06:16.370 this is what we recommend. 113 00:06:17.810 --> 00:06:19.520 Tom Field: Nicole, shifting gears a little bit. I want to 114 00:06:19.520 --> 00:06:22.670 talk about hardening networks. Now, when we talk about that, 115 00:06:22.670 --> 00:06:27.290 often that means segmentation, firewalls, a demilitarized zone, 116 00:06:27.290 --> 00:06:30.080 so to speak, set up to stop breaches from moving from IT to 117 00:06:30.080 --> 00:06:36.590 OT or vice versa. Yeah, in this survey, only about half - 50% - 118 00:06:36.830 --> 00:06:40.580 say that they have either segmentation or the DMZ in place 119 00:06:40.580 --> 00:06:42.920 today. Talk about what's at risk here. 120 00:06:43.860 --> 00:06:46.590 Nicole Darden Ford: The risk is lateral movement, where breach 121 00:06:46.620 --> 00:06:51.870 can move from IT to OT or vice versa, or from low-value network 122 00:06:51.870 --> 00:06:55.680 assets to high-value network assets. The more attackers can 123 00:06:55.680 --> 00:06:58.860 penetrate your infrastructure, the greater damage and downtime 124 00:06:58.860 --> 00:07:03.180 they can cause. Segmentation in DMZ or demilitarized zones 125 00:07:03.240 --> 00:07:07.800 provide an air gap between IT and OT. And additional 126 00:07:07.800 --> 00:07:11.340 segmentation can further protect business critical assets with 127 00:07:11.340 --> 00:07:15.720 strong access controls, firewalls and policy roles based 128 00:07:15.720 --> 00:07:16.680 on zero trust. 129 00:07:17.770 --> 00:07:22.600 Tom Field: So, Nicole, another topic, the ongoing march of IoT 130 00:07:22.750 --> 00:07:28.030 in industrial operations. What are your thoughts on this? 45% 131 00:07:28.210 --> 00:07:32.530 of the surveyed companies do not monitor and control endpoints in 132 00:07:32.530 --> 00:07:35.470 real time. I might argue they don't know where their endpoints 133 00:07:35.470 --> 00:07:38.320 are in real time, but I go off topic. 134 00:07:40.100 --> 00:07:42.470 Nicole Darden Ford: Yes, that means a good number of devices 135 00:07:42.470 --> 00:07:46.520 connected to OT systems aren't configured properly or contain 136 00:07:46.520 --> 00:07:50.780 security flaws. You may get lucky, but in most cases, it's 137 00:07:50.780 --> 00:07:53.780 only a matter of time before threat actors go after these 138 00:07:53.780 --> 00:07:57.590 unsecured and unmonitored endpoints in cyber attacks. 139 00:07:59.700 --> 00:08:02.130 Anna Delaney: So, Nicole, let's talk about critical 140 00:08:02.130 --> 00:08:05.490 infrastructure overall, with recent attacks on Colonial 141 00:08:05.490 --> 00:08:09.840 Pipeline, JBS and Oldsmar water. Do you actually believe 142 00:08:09.870 --> 00:08:13.440 organizations understand the risks? And are you seeing a 143 00:08:13.440 --> 00:08:15.870 growing sense of urgency to act? 144 00:08:16.830 --> 00:08:21.060 Nicole Darden Ford: We see all levels of response. Nothing 145 00:08:21.060 --> 00:08:25.200 serious will happen to others who have an immediate interest 146 00:08:25.200 --> 00:08:28.350 in rolling out full scale deep protections across multiple 147 00:08:28.350 --> 00:08:32.490 sites worldwide. I'm encouraged that many responses in our 148 00:08:32.490 --> 00:08:36.060 research report stated that several measures were in 149 00:08:36.060 --> 00:08:39.660 progress or planned. So attention and action is taking 150 00:08:39.660 --> 00:08:44.970 shape. In my opinion, we cannot move fast enough. The task is 151 00:08:44.970 --> 00:08:50.460 with every industrial CISO and COO, head of plant, engineering 152 00:08:50.460 --> 00:08:54.450 or operations and also with business leadership and boards, 153 00:08:54.630 --> 00:08:57.930 as risk of downtime and liability increase 154 00:08:58.080 --> 00:09:02.610 exponentially, to fundamentally shift thinking toward deploying 155 00:09:02.610 --> 00:09:07.080 modern cybersecurity protections as quickly as possible. So it is 156 00:09:07.500 --> 00:09:12.630 absolutely imperative. Many costs of breach go unrecorded, 157 00:09:13.170 --> 00:09:19.230 and is way beyond downtime, damage and/or ransoms. It now 158 00:09:19.230 --> 00:09:25.230 includes risk of litigation, high cybersecurity costs such as 159 00:09:25.350 --> 00:09:30.390 cyber insurance increases, reputational harm, supply chain 160 00:09:30.390 --> 00:09:35.610 problems and worker and public safety and so much more. I tell 161 00:09:35.610 --> 00:09:40.380 customers, "You either pay now or you'll pay later. If you pay 162 00:09:40.380 --> 00:09:43.770 later, the costs and damages will be much greater." 163 00:09:45.360 --> 00:09:48.090 Anna Delaney: So, what can industrials do to get the ball 164 00:09:48.180 --> 00:09:52.290 rolling and how do you typically get started in a cybersecurity 165 00:09:52.290 --> 00:09:54.420 engagement at Rockwell Automation? 166 00:09:55.080 --> 00:09:57.330 Nicole Darden Ford: Well, we always start with an assessment 167 00:09:57.330 --> 00:10:01.020 of risk and vulnerability. That way we work with fax and can 168 00:10:01.020 --> 00:10:05.280 quickly pinpoint what's needed and how to prioritize time and 169 00:10:05.280 --> 00:10:10.740 investment. We also, at Rockwell, have a 24*7 OT SOC and 170 00:10:10.740 --> 00:10:14.730 an army of trained OT cybersecurity professionals who 171 00:10:14.730 --> 00:10:18.990 are experts in industrial operations. We know what's 172 00:10:18.990 --> 00:10:23.160 important for preserving industrial uptime. For those who 173 00:10:23.160 --> 00:10:26.100 want to contact us for a consultation or assessment, 174 00:10:26.310 --> 00:10:29.160 please visit our website at rockwellautomation.com. 175 00:10:30.750 --> 00:10:32.910 Tom Field: Well said, Nicole. We're going to transition from 176 00:10:32.910 --> 00:10:35.700 talking about the survey now and talk about even more important 177 00:10:35.700 --> 00:10:38.430 things. First of all, with this new role, did it come with a 178 00:10:38.430 --> 00:10:39.750 relocation for you as well? 179 00:10:40.950 --> 00:10:45.690 Nicole Darden Ford: I am still in sunny Florida. Loving the sun 180 00:10:45.690 --> 00:10:50.160 in the fun, but I quite often find myself in Milwaukee, 181 00:10:50.160 --> 00:10:54.780 Wisconsin, which is, you know, an amazing food capital. Love 182 00:10:54.780 --> 00:10:55.230 the food. 183 00:10:55.530 --> 00:10:56.430 Tom Field: Is there a direct route? 184 00:10:57.480 --> 00:10:59.970 Nicole Darden Ford: There is not a direct route. I go through 185 00:11:00.330 --> 00:11:02.280 Chicago to Milwaukee. 186 00:11:02.760 --> 00:11:05.910 Tom Field: Okay, this begs my next question. I hesitated to 187 00:11:05.910 --> 00:11:07.770 ask because I'm afraid what the answer might be. I'm going to 188 00:11:07.770 --> 00:11:10.140 ask how you spent your summer? Did you spend your summer just 189 00:11:10.140 --> 00:11:12.990 traveling between Florida and Chicago and Milwaukee? 190 00:11:14.430 --> 00:11:16.740 Nicole Darden Ford: I did. Again, the work that we do, 191 00:11:16.770 --> 00:11:20.460 specifically at Rockwell, never ends. And again, making sure 192 00:11:20.460 --> 00:11:23.850 that our customers are safe and secure is my primary concern. So 193 00:11:23.850 --> 00:11:28.800 yes, I spent most of my summer going from Florida to Chicago to 194 00:11:28.800 --> 00:11:29.520 Milwaukee. 195 00:11:30.330 --> 00:11:32.490 Tom Field: And I assume that other travel is back as well. I 196 00:11:32.490 --> 00:11:35.850 know that you know, just Anna and I we have both been hosting 197 00:11:35.850 --> 00:11:39.990 events around the US over the course of the past season. Anna 198 00:11:39.990 --> 00:11:43.050 has taken some vacation in Europe. But I've had the 199 00:11:43.050 --> 00:11:48.090 opportunity to see, I think, everybody's real hot streak in 200 00:11:48.300 --> 00:11:50.760 the US over the past month and a half. How about you? Much 201 00:11:50.760 --> 00:11:51.480 business travel? 202 00:11:51.770 --> 00:11:54.530 Nicole Darden Ford: Oh my gosh, it's just heating up. And it's 203 00:11:54.530 --> 00:11:58.820 been so great to see my colleagues in cybersecurity and 204 00:11:58.820 --> 00:12:01.700 really frankly, in technology, you know, through some of my 205 00:12:01.700 --> 00:12:05.000 travels, so I had been all over and it's just going to continue 206 00:12:05.000 --> 00:12:05.780 to increase. 207 00:12:06.020 --> 00:12:07.700 Tom Field: Good problems to have. It's nice to be out in the 208 00:12:07.700 --> 00:12:10.700 world again. I'm encouraged that Blackhat had the attendance that 209 00:12:10.700 --> 00:12:13.700 it had most recently and that we're seeing people get back 210 00:12:13.700 --> 00:12:17.210 together as you say, Nicole. As much work as we've got done over 211 00:12:17.210 --> 00:12:20.030 these past two and a half years, it is nice to be back in the 212 00:12:20.030 --> 00:12:20.570 community. 213 00:12:20.780 --> 00:12:23.420 Nicole Darden Ford: It is nice to be back with my colleagues 214 00:12:23.420 --> 00:12:26.300 and amongst my peers. That's where the best learning occurs. 215 00:12:26.600 --> 00:12:28.910 Anna Delaney: Oh, Nicole, it's been such a pleasure. Thank you 216 00:12:28.910 --> 00:12:31.700 very much for being with us to share your insight and 217 00:12:31.700 --> 00:12:32.840 expertise. It's been great. 218 00:12:33.380 --> 00:12:35.420 Nicole Darden Ford: Thank you for having me. I appreciate it. 219 00:12:35.930 --> 00:12:38.180 Anna Delaney: Thanks so much for watching. Until next time.