How else to celebrate Manufacturing Day than to ruminate on the single largest threat facing industries trying to digitally transform their operations: cyberattacks, most specifically ransomware incursions.
Two technology CEOs, one of whom is a former National Security Agency operative, tackled this topic, which is at the forefront of discussion among OT and IT stakeholders in the wake of such high-profile breaches as the cyberattack at The Clorox Co. that reportedly will cost the company up to $593 million in slower production rates and elevated product availability issues.
Blake Moret, chairman and CEO of Rockwell Automation, an industrial automation and digital transformation provider, and Robert Lee, co-founder and CEO of industrial cybersecurity firm Dragos and formerly of the NSA, were on hand Oct. 6 on Manufacturing Day in North America for an online chat about the heavy cybersecurity burden for companies and executives trying to digitally transform their operations. Matt Robie, director of business development for Dragos, moderated the online discussion. A recording of the webinar also is available.
A wider 'attack surface'
Cyberattacks on manufacturing businesses have doubled—and while manufacturing, Lee noted, tends in many ways to be more innovative than other industries, “all that value comes with some consequence, an increase in the ‘attack surface,’” more points of cyber vulnerability that industries must defend and get sophisticated about doing so.
Moret said China and the cybersecurity risk are the two most important interrelated issues in the board rooms of manufacturing companies today. And with the focus still on the supply chain post-COVID, there’s focus on manufacturing suppliers and their vulnerability to cyberattacks.
Moret said fully 29% of industrial companies report attacks, but many cyber incidents have gone underreported. However, new U.S. Securities and Exchange Commission rules that the SEC adopted this summer require all companies, public and private, to disclose material cybersecurity incidents four days after a company determines there was a breach.
“Whether a company loses a factory in a fire—or millions of files in a cybersecurity incident—it may be material to investors,” the SEC’s chairman, Gary Gensler, said at the time the rules were announced. It was these new SEC rules that compelled Clorox to report to the SEC the ransomware hack on its systems; otherwise the multimillion-dollar Clorox attack might never have become public
Lee said the media almost “celebrates” cyberattacks with coverage of the failures, adding “we don’t celebrate the defenses enough, the correct architectures” of the kind that Dragos deployed in concert with U.S. government assets against vulnerabilities affecting Rockwell ControlLogix EtherNet/IP communication modules. That cyberattack was “properly defended,” Lee added.
Deploying the proper cybersecurity defenses start at the top, at the board level, Moret said during the Oct. 6 webinar.
“It’s kind of our job to deal with it, it’s our job to maintain ‘blocking and tackling,” he added, using a football analogy and saying that cybersecurity is “the first and last question” and in the top 5 of corporate issues next to others such as inflation and workforce skills. He noted: “We have to set up the right governance structure, the audit committee for reporting, the tech committee. It’s going to be a broad-based, continuous task, but that’s the world we are in.”