Cybersecurity was a big topic at the 2022 ARC Industry Forum in Orlando, Florida. While there, I had the opportunity to sit down and catch up with Emerson’s Director of Cybersecurity, Mike Lester. We discussed many of the issues and growing threats companies face, as they try to maintain strong cybersecurity postures.
Unfortunately, there is no silver bullet to becoming cyber-secure and maintaining strong defenses. Mike offers guidance on ways to develop a strong culture and address these challenges over time.
Jim: Hi, everyone. This is Jim Cahill with another “Emerson Automation Experts” podcast. Today, I’m here at the 2022 ARC Forum in Orlando, and joined by Emerson’s director of cybersecurity, Mike Lester, to discuss some of the latest happenings in cybersecurity. Welcome, Mike.
Mike: Thanks, Jim.
Jim: Well, let’s get everyone grounded with a little bit of your background, and path to your current role here at Emerson.
Mike: Sure, Jim. So, I’ll start way back in the Air Force, I was an aircraft mechanic back from 1985. so I did that for 12 years and then moved into communications, which was networking, data center operations, cybersecurity, you name it, and we did it from a technology perspective. And then after doing that for 10 years, I moved into Emerson as the operations manager for IT in the Rosemount twin cities factories, and helped, you know, maintain the factories, and networks, and systems there. Then moving into information security role for the then Process group. And then in 2017, moving into the current role for product security in the technology arm of the organization today, where I get to interact with customers, and all the business units around cybersecurity strategy, as well as technologies and governance.
Jim: Well, that sounds like a really strong background, and I know cybersecurity is one of the key topic areas here at the conference this week. So why does cybersecurity remain such a large concern in the critical infrastructure space?
Mike: Jim, there’s some obvious reasons and responses here, like, ever-increasing threats and successful attacks against critical infrastructure targets. Cybersecurity remains a large concern because there’s been a clear shift from gang-related cyberattacks seeking financial gain, to cyber as a fifth element of war with all nature of attacks between different threat actors, nation-states to nation-state saboteurs, to nation-state to private industry and in critical infrastructure sectors.
A good example of this dynamic is Russia launching cyberattacks against Ukraine, days before the kinetic attacks began. Followed by that, was a global community of independent volunteer hackers that attacked and provided intelligence to the world about where oligarchs were docking their yachts, and much more direct, defensive, and offensive. Essentially crowdsourcing cyber warfare without anybody asking them to do it. Likewise, there’d been malicious threat actors like Anonymous, since most people are familiar with them, who chose sides in the cyber warfare effort. The threats are real, and we need to begin putting them into context in order to analyze risk with trained professionals in this space as opposed to some historically dismissive behavior or thinking that it can never happen.
Jim: Yeah. It sounds like the degree of difficulty for companies to deal with it has gone way up, so there’s more that needs to be done. So I guess, given the strategic importance of critical infrastructure like manufacturing, what are the key areas of concern?
Mike: Safety is always at the top of the list for concerns, but I would also couple this with the additional consequences of operational disruptions, leading to loss of revenue, supply chain disruption, all the way through to potential extreme or extended social and national capability disruptions, from lack of resiliency in cybersecurity and operations. Look, we depend on a Jenga stack of people, processes, and technology to live our daily lives with electronic everything. This includes our homes, our work, grocery stores, fuel, our national security, our entire way of life is really dependent on the continued and successful operation of critical infrastructure.
And if I extend that Jenga analogy, you know, if you take the wrong block out, the entire structure can fail. And we’ve seen this, some blocks have been taken out or partial collapses in many places. But when we look at the cases like Venezuela and Haiti, where power outages lasted for extended periods of time, there were significant disruptions across the spectrum of what we would consider normal society and livelihood capabilities. We need to be cognizant of the possible, and engineer capabilities in critical infrastructure to match the risk. This may seem a bit doom and gloom but, you know, in reality, they are possible in civilization. We need to manage the risk appropriately in a way that equals a holistic capability. We need to work collaboratively and recognize the role that we have.
Jim: I think that Jenga analogy is a real good one and gives people a picture of the challenges that we face in that. So what are some of the root causes of these points of concern?
Mike: You know, it might be a little unexpected, but, you know, and I’m not gonna go point to a particular control or get dived down into the real technical details, recognizing that in reality, we have imperfect systems, and devices operated by imperfect processes, and often undertrained, imperfect people, we must look across the spectrum to determine how we can prioritize efforts in the right place. I believe this confusion or varying opinions to achieve better levels of cybersecurity, coupled with an extreme shortage in appropriate talent in the workforce, have led the industry to focus on a silver bullet approach primarily with technology solutions, and a market that fuels this approach. And we are misaligned through focus on discrete objectives, rather than industry, regional, national, company-strategic objectives that achieve outcome-based risk management, as opposed to compliance-oriented risk management that’s failed us for decades.
A good example of this is antivirus or anti-malware, everybody’s familiar with that, being a mandatory compliance requirement for audits. When in reality, when it finds malware, it’s already in your environment, and likely active. Anti-malware is known as a reactive tool in the cybersecurity professional space, and what we should be focusing on is preventing that malware from getting into our environments in a proactive manner.
Jim: Well, I guess we all wish there was a silver bullet to handle it, but much like other things, safety, there is no single thing that just makes everything perfect for you. So what can be done to mitigate these cybersecurity risks and threats?
Mike: There’s a spectrum of thing, but it really equals work. Lots of work, with appropriate investment strategies, and dedicated budgeting. Threats can really only be addressed by more cyber-resilient and capable products, systems, services, supply chains, and operations. This requires cybersecurity skill and expertise across all business functional areas, similar to finance, or legal. Everyone in the company has a fiduciary expectation and responsibilities that they must meet. They don’t need to be a finance major, or certified public accountant, or a CFO.
More directly, I always like to start with an assessment for your operations to determine gaps and create a plan to remediate those in a prioritized manner. We need to expand this thought process to all aspects of our business and across all functions if we’re gonna get beyond compliance to higher levels of maturity and capability. It’s not gonna be easy, and it’ll likely stretch, or break most paradigms of how to approach holistic cybersecurity that can achieve cyber and operational resiliency to the levels needed in our industries, and for future opportunities in automation and control.
Jim: Well, yeah. It does sound like when you’re trying to tackle a very difficult problem, starting with the assessment and really prioritizing the things that need to be done, so it just doesn’t feel overwhelming. It seems like that’s a very logical approach to attack this very difficult problem. So what are your top recommendations to manufacturers and producers to strengthen their cyber defenses?
Mike: Often we’re gonna be looking for…customers may be looking for, or other business folks may be looking for a list, “Here’s my checklist of things to do.” But really what it comes down to is, work with industry experts and cybersecurity partners, get an outside perspective, or a gap analysis. Cybersecurity in general from a people, process, and technology perspective, has very fast-paced rate of change across a full landscape. So it’s likely what was known about your operations last year, or when it was implemented, they’re stale data points. You know, looking to…or working with partners to build cybersecurity and operation resiliency in business investments, processes, implementations, etc., you know, with a prioritized business risk-based approach, is a really good start.
Often, conversations around achieving cybersecurity devolve into technology and leverage, versus how to accomplish the right proactive or active defense against threats from the nation-state actors I spoke about earlier on, you know, an active cyber warfare landscape. I’m not saying this really to, you know, instill fear, uncertainty, or doubt, or what we commonly hear as FUD, but to really speak truth about what we face as an industry and as a society. Technology changes to improve cybersecurity capabilities will always be slow to implement and embed into systems and devices that control safety, operations, and the critical infrastructure segments. We’ve gotta understand the spectrum of cybersecurity architecture’s capabilities and operations that can enable resilient operations and fast recovery from what seems to be an inevitable incident that impacts manufacturers and producers.
Jim: Well, I think that’s some good guidance of how to think about it and approach it. So where can our listeners go to learn more about ways to build their cybersecurity posture and culture?
Mike: There’s a lot of good resources. I like to point folks, if they wanna be vendor-agnostic or they don’t…maybe they’re looking at vendors and asking whether we’re gonna sell them the silver bullet approach, you know, we can use resources like the national government’s U.S. Department of Homeland Security in the U.S., the Cyber and Infrastructure Security Agency (CISA), or the UK’s National Cybersecurity Centre, and others, you know. Most recently, Emerson’s partner Dragos, launched a program called OT-CERT. That provides free resources for companies who may not have the expertise available to help them understand the complex space of cybersecurity, and how to mature their programs, or even initialize their programs. Emerson also has a portfolio of cybersecurity capabilities like assessments, products, and services that focus on enabling secure customer operations. The bottom line is we really like to work with our customers and achieve their cybersecurity, and ultimately their business objectives.
Jim: Well, that’s a great summary of places to go for more information, and I’ll add a link to the cybersecurity section on emerson.com for more on the tools and solutions to help our listeners in their cybersecurity efforts. Well, Mike, I wanna thank you for joining us today. I hope our listeners got as much out of this as I did.
Mike: Thanks, Jim. Appreciate you having me.