Continuing our series of ‘Critical Success Factors for the Digital Journey’ we now focus on a subject that is an integral piece of the puzzle – cyber security. This is an extremely relevant topic for many customers out there who are looking to go digital but may be hesitant due to the introduction of potential cyber threats. To discuss this topic, John Southcott and Keith Vermeer will discuss why cyber security needs to be part of the Digital Journey conversation.
Listen to the podcast or read the full transcript below.
Critical Success Factors for the Digital Journey: Cyber Security
John Southcott: Let me tee this up by describing a client situation we recently experienced. We’ve been working with a large consumer products company for the past 10 years and they recently did a business continuity review of our operation, which really amounted to checking out our organization’s security systems amongst a number of other things – we learned a lot. We were able to make some changes that they requested of us and overall it was a good process. I did a briefing with the CIO who told me that he was very pleased with the outcome but had concerns about cyber security and that the operations side of their business is where he feels the most vulnerable.
The conversation morphed into “How can we at Brock Solutions help them address some of their concerns”. He went on to say he’s done a lot of talking to consultants, third parties, etc., and one of the things that he hears from time-to-time is to ‘secure the perimeter’. When he hears securing the perimeter, he frankly said he stops listening. So, there was a real call-to-action for us based on this business continuity review and as well as some of the things that we needed to address in our systems to really look at the whole area of cyber security. And so, we tapped you on the shoulder Keith to take a look at this. Maybe before we get into some of our learnings, I’ll get you to describe your experience at Brock and the role you have today.
Keith Vermeer: Thanks, John. I’ve been working with customers for 13+ years in the real-time operations space, working both in control systems, in higher-level MES operational systems, and really pulling those together both technically, also working with our customers on how they form their teams. I’ve got a pretty broad range of perspectives when it comes to those technologies as well as the different industries. I have now moved into a corporate role, and it’s really opened my eyes in terms of leveraging those customer experiences, what we’re hearing from our customers around cyber security, and then what that means also from a corporate standpoint when we’re looking at our own security. John you mentioned the audit that we went through with this customer. That really helped funnel a lot of what we’re learning from our corporate security standpoint as well as into what’s making sense for our customers; the two start to merge. From my vantage point now in the corporate role, I’ve got a very unique perspective when it comes to cyber security and what it means for business both from a corporate standpoint and for our customers. You mentioned me taking the lead on the cyber security part — it’s really an opportunity for me to jump into a whole bunch of different scenarios with the organization and learn. That’s how my role has evolved, where I’m sitting now in terms of the cyber security space.
John Southcott: That’s excellent and I think it’s very good timing for us and for our customers and for the marketplace. So, as you got started on the journey of figuring out the whole cyber security play in the operations technology space, I’m assuming you did some research, talked to some customers. What were the results of that activity and what did you learn?
Keith Vermeer: It’s been a pretty interesting journey. If I think back to the beginning of 2017, our founder, Rick Brock, had set up a cyber security lunch and learn – this was the start of our cyber security journey. As we continued to move forward one of the conversations I remember having about IoT and analytics, and the question that comes up is “where does cyber security fit in all of this?” and we concluded that it was an enabler. If you don’t do the cyber security part of it, how do you do all the others because you’re opening yourself up to higher levels of connectivity. I went out and talked to industry experts, some of which worked in nuclear, and tried to understand what they’re doing from a cyber security standpoint. I learned about data diodes and appropriate kind of operational design that they take in building the safety around it because you can imagine a nuclear power plant – you don’t want anybody getting in there, right? So, it was very interesting to look at security there. We did a number of investigations and learnings on the different tools and technologies that are out there. I learned a lot from the IT standpoint in terms of how mature they are and what they can bring to the table from a cyber security standpoint, but when we look at the OT technologies, there’s a lot of them trying to figure out and make their own kind of name or a lot of investment happening in the OT side of things but it’s continuing to evolve.
When we were exploring our own corporate security, we went and talked to a number of different vendors that provide services and when talking to them, they could talk very well to “How to Secure Your Corporate Environment” like your laptops, and your servers, and your firewalls, but when it came to OT, quite frankly it was a lot of hand-waving and theoretical conversations on what could be done. We then went through an exercise to ask our customers what they’re seeing in terms of the concerns that they have and the guidance they can give around cyber security.
There are two key takeaways that I learned through that 1) there’s an opportunity for a company like Brock Solutions, where we have a plethora of experience in the industrial controls space to bring and help bridge a gap between IT and OT from a security’s perspective, and what works and what doesn’t work – we can bring real stories to that conversation. And 2) when it comes to our customers, another thing I heard is they don’t even know what they have to understand what the risk is, so there’s an opportunity or a gap there around knowing what’s out there in the control system environment. We bring a broad range of different experiences to the table that can actually help our customers figure out what to do. Those are some of the key things I learned out of the conversations with our customers that really kind of helped form my perspective of where cyber security fits in our world today at Brock Solutions.
John Southcott: I think when you net it all out, there is a lot of confusion and uncertainty when it comes to cyber security in the OT space. A company like ours that does so much work in the operations technologies space, when we look at what we’re doing and what some of our business partners that serve that space are doing, we represent both an opportunity and potentially a threat for organizations as they bring in anything from new software, new services, new equipment. If we fast forward to today to this world of confusion, and look at what we’re doing with existing customers and what some of our strategies are, maybe you could take us through where you see the future going and what we’re doing to address this going forward.
Keith Vermeer: In terms of what we’re doing about it, it’s three-fold: 1) there’s a corporate perspective. As customers continue to come to us as the cyber security space evolves, and it’s ever changing, we’re trying to up our own game to respond to our customers. They’re getting pressure from their leadership to do more around cyber security and that then translates to us. So, we’re uplifting our game there from our own corporate security posture. 2) getting out there with customers, we’re engaging with customers to help bring that expertise. We have engagements where we’re out there bringing that ICS knowledge to help bridge the gap between IT and OT when it comes to security, and layering where, “how deep do we go?” and the ISA95 model in terms of what we can see and look at. So, we’re helping our customers and our partners figure out where that fits and how to draw that line and it’s through a consultative type of approach initially. And 3) we’re looking at working with vendors or suppliers around IT services. We’re having conversations with them around “is there an opportunity for us to pull together solutions where we’re working with the supplier of the IT services and then looking at OT technologies and what we can do there. There’s active conversations we’re currently engaged in
John Southcott: A lot of interesting stuff and a lot of expectations because we are very active in many cyber security related initiatives. So Keith, let’s look forward in terms of what we’re doing in the market with our customers and some of the solutions we’ve developed. Through an innovation initiative that we’ve held recently, we’ve developed an approach called SmartMonitor, which I think we’re very excited about and the customers we’ve previewed this with seem equally excited about it, so why don’t you tell us a little bit about it.
Keith Vermeer: I want to tie it back to the initial part of this conversation around what our customer said to us around when he hears ‘secure the perimeter’, he basically turns off. IT does a great job of making that hard shell around an OT environment. What’s missing is that inside – because once someone gets in, they can go wherever they want within that environment. So, our SmartMonitor solution and approach is really designed to create more intelligence around the controls networks, identify what’s going on, and look for anomalies that are outside the normal day-to-day activities because control networks are fairly deterministic. The value add there is really to help get visibility and identify when there is an issue so that our customers can become more proactive.
John Southcott: We are very excited about SmartMonitor and the potential it represents. We plan to work with customers and partners to evolve the solution. Securing the perimeter is not the “final answer”. So, what we’ve got here is something that is a potential enabling tool for cyber security in the OT space which is really table stakes for a connected world. We can’t see a connected world of IoT and connected devices and all the analytics that people want without security. I know you’re very excited about this role and if anyone wants to find out more, they’re welcome to reach out. Thanks, Keith.
Keith Vermeer: Thanks, John.
Interested in learning more about SmartMonitor?