Building a cybersecure manufacturing strategy
By Bill Lydon
I was fortunate to have the opportunity to talk with Dawn Cappelli, an experienced and accomplished cybersecurity expert, who shared her advice on building cybersecure manufacturing organizations. Cappelli is vice president, global security, and chief information security officer at Rockwell Automation.
Before coming to Rockwell, she was founder and director of Carnegie Mellon's CERT Insider Threat Center. Cappelli is recognized as one of the world's leaders in insider threat mitigation and has worked with government and industry leaders on national strategy issues. Cappelli is a certified information systems security professional (CISSP), and she has a BS in computer science and mathematics from the University of Pittsburgh. Cappelli came to Rockwell Automation in 2013 as director, insider risk, and built the company's insider risk program. Her team is responsible for protecting Rockwell Automation and its ecosystem of customers, suppliers, distributors, and partners from the ever-changing global cyberthreat landscape.
I asked Cappelli what first steps a manufacturing company should take on the journey to achieve cybersecurity protection. She shared her experience, insights, and recommendations for creating a comprehensive industrial cybersecure manufacturing organization.
The first step a manufacturer should take is to determine the leader of the cybersecurity effort. Cappelli noted that many manufacturing companies already have a chief information security officer (CISO) responsible for information technology (IT) security, but traditionally operational technology (OT) security has been the responsibility of the OT engineers. "People are realizing now, due to the convergence of IT and OT, that it's important to have one security leader responsible for all cybersecurity for the company." This is someone who can work with both IT and OT to build and execute a holistic cybersecurity strategy that encompasses the entire ecosystem of not only IT and OT, but also of all external connections, including third parties and the supply chain.
Cappelli described the industry trend of CISOs being given responsibility and/or accountability for all cybersecurity for the company. One reason why is that cybersecurity in IT is significantly more mature than in OT, and someone with IT security experience understands how to methodically build the cybersecurity program across the organization using a risk-based approach.
One of the challenges is building a cross-functional team including both IT and OT, since traditionally they have not worked closely together. Cappelli recommends using the NIST Cybersecurity Framework (NIST CSF) (www.nist.gov/cyberframework) as a tool to deploy a focused process and involve all parties. The framework helps to identify gaps in cybersecurity strategy and becomes the blueprint for risk assessment. Bringing together cross-functional personnel consisting of IT and OT experts, plant experts, and plant engineers using the NIST CSF focuses the activity and fosters team building based on shared goals. This process for building the strategy creates a shared vision and understanding of all stakeholders' challenges and ongoing positive working relationships.
An important part of this process is prioritizing cybersecurity efforts based on risk. This helps companies prioritize investments, because it is typically impractical to do everything at once.
I asked Cappelli for any tips based on her experience building the Rockwell Automation program over the past few years. She suggests starting first in the IT group to "get your feet wet" if you have not yet used the NIST CSF, then use the NIST CSF Manufacturing Profile to create your manufacturing security strategy. Also, the NIST CSF helps to identify some quick wins for the manufacturing environment, like ongoing communications to maintain security awareness among plant personnel. Rockwell Automation has done this with a monthly cybersecurity awareness bulletin to reinforce topics like the importance of physical security, social engineering, not sharing passwords, and safely using USBs.