Business Operations

Business Operations

Sargento Makes a 10-Year-Old Boy’s Wish Come True

On Dec. 21, 2021, the Ball family from Winston-Salem, North Carolina, received devastating news: their son Maxx had Ewing sarcoma, a rare form of bone cancer that typically occurs in children and young adults.

Maxx’s wish: As he battled the potentially life-threatening disease, 10-year-old Maxx, whose cancer is now in remission, had one wish: to travel to Wisconsin to learn about the cheese-making process.

  • “Most kids choose Disney World or a trip to Hawaii, but not my son,” said his mom Lauren. “He loves cheese and all things dairy, so he wanted to come to Wisconsin.”
Sargento Master Cheese Maker Jeff LeBeau describes the cheese-making process to Maxx, who grabbed a sample to test the pH levels. (Photo credit: Sargento Foods)

From wish to reality: The Make-A-Wish Foundation contacted Plymouth, Wisconsin–based Sargento—a leading manufacturer of shredded, sliced and snack natural cheese products—which was thrilled to grant Maxx’s wish.

Sargento has been a longtime supporter of the Make-A-Wish Foundation, partnering with other local businesses on an annual golf-related fundraiser that provides substantial support for Make-A-Wish Wisconsin. Sargento’s Executive Vice President of Operations and third-generation family owner, Mike McEvoy, has also served on the board of Make-A-Wish Wisconsin.

The itinerary: After arriving in Madison the Friday before Thanksgiving, Maxx and his family visited the Center for Dairy Research at the University of Wisconsin–Madison. He also met Wisconsin Gov. Tony Evers, visited

Sargento General Manager Brian Baker provides Maxx the finished product as his mom and sister look on. (Photo credit: Sargento Foods)

the Wisconsin State Capitol building, checked out the House on the Rock and then traveled to Green Bay to tour Lambeau Field. But the final day of his Dairyland tour was a stop at Sargento’s new location: Baker Cheese in St. Cloud, Wisconsin.

The visit: Sargento General Manager Brian Baker and Master Cheese Maker Jeff LeBeau provided a tour of the facility and explained the cheese-making process in detail. Maxx helped with making cheese curds, learned the documentation process and even operated one of the facility’s computer systems.

  • “On our tour, he kept saying, ‘This is awesome,’” said Baker. ‘It really put Thanksgiving into perspective. They are a wonderful family, and what he’s gone through, to be here and to be so engaged and on the other side of his diagnosis, shows what’s really important.’”

The last word: “It was a great day, and it was a pleasure to help make Maxx’s wish come true,” said Sargento Vice President of Human Resources and Community Relations Karen Lepisto.

Business Operations

Acutec Gives Workers a Stake in the Company

When asked why she chose to “give away” a quarter of her precision-machining company to employees, Acutec Precision Aerospace President and CEO Elisabeth Smith has a simple, commonsense answer: “Having an appetite for growth is a lot easier if you’re the beneficiary of it.”

Skin in the game: In August, Acutec, the largest industrial employer in its northwestern Pennsylvania county, went from privately held to worker-owned through an employee stock ownership plan. The shares, which have a value of $5.5 million, will be given out to current and future employees over the next decade—at no cost to them.

  • Said the 40-year-old Smith: “I have a long career ahead of me, but I want the employees to be on that journey with me. … Why not give a stake to the person who’s working their butt off?”

Bringing in applicants: The woman-owned business, founded in 1988 by Smith’s father, Rob Smith, has always had an “empowered, participatory” workforce, but in recent years, it struggled with attracting and retaining the right people, Smith said. Since the ESOP, that’s turned around.

  • “It’s made a difference in attracting talent,” she said.
  • With more than 400 employees spread across its three Pennsylvania facilities and one South Carolina operation, Acutec is in growth mode and still looking to fill open positions.

The retirement incentive: The firm’s new ownership structure will help provide for employees in their golden years.

  • Under the ESOP, when an employee leaves or retires, the company buys them out, and they can place that money into a retirement account.
  • “There have been other ESOPs in the community, and some people have seen employees [of other companies] retire with quite a lot of money, so they have an idea of what it looks like,” Smith said.

The productivity effect: Now that employees are part owners of Acutec, Smith sees more interest in cost-consciousness and ROI.

  • “We’re hearing things like, ‘Can we save on tooling?’” Smith said. “There are some costs the employees control themselves. The idea now is that they are custodians in charge of some of those profit drivers. They want to look at return on investment.”

The last word: Perhaps the best development to come from the restructuring is the change in team morale.

  • “Before, people were kind of burned out, coming out of the pandemic,” Smith said. “How do you inspire people to do more? This is how.”
Business Operations

Why Manufacturers Need R&D Tax Certainty

This story can also be found within the NAM’s R&D action center.

For companies like O-I Glass, Inc.—a glass manufacturing company headquartered in Perrysburg, Ohio—research and development just got a lot more expensive.

Until the beginning of 2022, businesses including manufacturers could deduct 100% of their R&D expenses in the same year they incurred the expenses—but a change in the tax law that took effect this year required businesses to spread deductions over a five-year timeframe. O-I Vice President of Global Tax and Business Services Scott Gedris explained how that impacts the company.

The scale: With 17 plants in 13 states around the country—and 70 plants in 19 countries around the world—O-I has a significant reach, serving both large multinational companies and smaller customers like microbrewers and small batch spirits manufacturers.

  • The scale of the operation means that O-I invests significantly in R&D, working to develop innovative processes and specific product designs to meet individual customer needs.
  • “If you look at our public financial statements, we spent $82 million in 2021 on R&D—primarily in the U.S.—and that is a significant investment for us,” said Gedris.

Case in point: In the past decade, O-I has invested heavily in developing more effective, efficient and sustainable processes. In 2011, it built a 24,000-square-foot R&D facility on its Perrysburg, Ohio, campus and has announced plans for a new glass manufacturing facility in Bowling Green, Kentucky, using technology developed at the Ohio facility.

  • Because the company spends so much of its resources on R&D, a significant increase in the cost of investment would require it to make difficult decisions.
  • “Anything that comes out of this in terms of tax dollars … creates a choice within our organization about where we allocate our capital,” said Gedris.

Environmental effects: At a time when O-I is making important investments in sustainability, a significant reduction in available resources could present obstacles to the company’s environmental goals.

  • “When we rebuild a glass manufacturing furnace, that is a multimillion-dollar investment. The cost continues to increase with inflation and investment in modern technology that we need in order to meet our corporate sustainability goals,” said Gedris.
  • “With the cost of that equipment increasing, if we’ve got $10 million less because of increased taxes, we need to evaluate whether we are going to rebuild a glass furnace in one of our 17 U.S. plants, or are we going to defer that? Alternatively, those dollars could come out of our R&D spend, which will impact what we are able to invest in future technology improvements.”

Human impact: Investments in innovation and R&D don’t just create better products and processes for consumers; they also support local economies across the country.

  • “When we invest in a glass manufacturing furnace in these towns, it’s an investment in the community,” said Gedris. “We’ve got multigenerational glass manufacturers in those facilities. It’s a project that people depend on, and they have a lot of pride in the product and the processes at their facility.”

The last word: “When you’re investing in R&D, you’re investing long term—and that means you need certainty in the tax policy,” said Gedris.

Visit the NAM’s R&D Action Center for critical R&D policy updates, industry stories and an opportunity to engage directly with your members of Congress.

Business Operations

How Manufacturers Can Boost Their D&I Efforts

Get the Latest News

The manufacturing leaders who met in Washington, D.C., this month agreed wholeheartedly: D&I is integral to building and retaining the workforce of tomorrow.

At the third-annual Diversity+Inclusion Summit convened by the Manufacturing Institute, leaders gathered to share data, insights and lessons gleaned from their own D&I efforts. Hailing from many different industry sectors and companies of all sizes, the panelists and attendees laid out concrete actions that can transform companies’ D&I objectives.

Why it matters: With 2.1 million jobs expected to go unfilled in the industry by 2030, manufacturers need to find new populations of potential employees. Recruiting more women, racial and ethnic minorities and neurodiverse workers can expand companies’ talent pools and strengthen their workforces.

  • In fact, increasing the current female workforce from 29% to 35% would fill the industry’s 746,000 open jobs all on its own, according to a recent study by the MI and Colonial Life.
  • That’s why the MI is working to meet this target through its 35 x 30 Campaign—i.e., increasing the percentage of women in manufacturing to 35% by 2030.

How to do it: The summit offered important tips to help companies boost their D&I efforts, including:

  • Get buy-in from company leaders: Research shows that D&I efforts lead to greater productivity, increased innovation and higher revenue—not to mention the recruitment and retention benefits. Once companies set D&I goals, leaders should incorporate D&I objectives into their annual goals to create opportunities for accountability.
  • Use employee resource groups in a structured way: Companies should set up organizational structures for their ERGs that will ensure longevity and encourage fresh thinking, as well as align with companies’ overall D&I goals. These groups should have their own budgets and rotating leadership positions. When possible, the contributions of ERG leaders should be included in their incentive programs or annual goals.
  • Educate your first-line supervisors about D&I: By training first-line supervisors on the latest in D&I and company-specific objectives, companies can help them both support their teams better and collect feedback to inform the overall effort.
  • Offer child care and flexibility: In the post-pandemic environment, companies are still exploring what works best for them, but one thing is clear: to recruit and retain talent in a tight labor market, companies need to provide employees with options. (Check out our recent webinar on the same subject.)

Learn more: Interested in joining the conversation? Check out the MI’s D&I tools and resources, and register for upcoming events, including our upcoming Virtual Diversity+Inclusion Summit on Dec. 16, here. The virtual summit will include some recorded sessions from this event as well.

Business Operations

NAM Retirement Plans Offer Security for Manufacturers

Get the Latest News

At a time when attracting and retaining talented employees is more important than ever, offering a retirement plan can make a critical difference. But for manufacturers like Winton Machine Company, a tube and coax fabrication manufacturer based in Suwanee, Georgia, the cost of a plan can create a real challenge.

  • “It’s really difficult as a small manufacturer, because you’re competing against benefit packages that are given by large companies,” said Winton Machine CEO and co-owner Lisa Winton.

That’s why, when the company came across the NAM’s Manufacturers Retirement & Savings plan, they knew they were onto something good.

A tailored plan: The Manufacturers Retirement & Savings Plan, offered in partnership with Principal Financial Group® and HUB International LLC, is a multiple employer plan that is available to all NAM members and designed to cover all 14,000 member companies. Companies of all sizes can participate, which creates new financial opportunities for and offers more security to the millions of men and women who make things in America.

A trusted approach: Winton appreciates that the program offers a product she can trust—and that her employees can rely on. Because the plan comes vetted and designed by the NAM, she can feel confident that she and her employees are invested in a high-quality offering.

  • “I have a hard enough time understanding what funds to put my 401(k) in,” said Winton. “I depend on a financial advisor who’s an expert in that area. So my employees, a lot of them are in the same position as I am.”

Useful resources: The NAM’s plan also comes with a range of exclusive tools designed to help manufacturers understand their investments so that they can make the most of the opportunities available to them.

  • “There’s great online resources, and we’re also able to share those videos on the premises with our people,” said Winton. “We’ve had one-on-ones, we’ve had group trainings. We’re looking forward to . . . having a financial advisor come and meet with our employees and talk to them, encourage them to put more money in their 401(k), but also help educate them on what’s happening with their money and how to invest it better.”

Accessible support: Winton Machine emphasized the value of the plan’s support system, which answers questions from employees and company leaders.

  • “It’s been very, very easy,” said Winton. “I have one point of contact, which is really important. I don’t have to go and call a 1-800 number if I’ve got an issue.”

The bottom line: “The [NAM retirement] plans are new, they haven’t been around that long, and they offer a lot of opportunities for us to share costs and also really understand your funds and understand what you’re paying for,” said Winton. “I think I have a much better overall product now at the same price or less.”

Business Operations

Manufacturing in 2030 Megatrend: Ride the Power Curve

Get the Latest News

Digital manufacturing is built on just five “cornerstones”—and the work done in those areas in the next decade and beyond will largely determine the success or failure of key aspects of manufacturing’s technological future, according to the Manufacturing Leadership Council, the NAM’s digital transformation arm.

The MLC says that developments in electronics, computer systems, communications technologies, software and cyber infrastructure will have a direct impact on advancements made in human-machine interaction, automation and robotics, and autonomous operation. We break these down below:

Electronics: Intel predicts that by 2030 it will be able to incorporate 1 trillion transistors on a single semiconductor chip.

  • Manufacturers will need that kind of power to enable computer systems and software to process much larger data volumes as they connect more plant equipment and people within their business ecosystems.

Computer systems: Manufacturers should expect a changing computer landscape as biological, physical and digital systems converge to offer more options.

  • Quantum computing and nanocomputing offer potentially greater computational ability, which will allow manufacturers to process more data faster.
  • Meanwhile, traditional computers will become lighter, thinner and more flexible. Different user interfaces, such as voice recognition, will progress.

Communications technologies: The years ahead will see manufacturers adopt 5G-based networks, which offer higher bandwidth and lower latency than prior technology.

  • Communications technology suppliers are already working on 6G networks, expected to become commercially available in 2030.

Software: Next-generation software applications, in addition to web and mobile capabilities, will support voice, wearables, touch and AR/VR to a greater extent than ever before.

  • These applications will be driven increasingly by artificial intelligence.

Cyber infrastructure: The cyber infrastructure that has been in development for the past two decades has allowed for separation between data and physical computing sources (i.e., cloud computing.)

  • Looking ahead, an infrastructure that brings together data from all sources with business and technology tools will facilitate innovation, R&D, operating models and business growth.

Manufacturing in 2030 Project: Ride the Power Curve is just one of the megatrends identified by the Manufacturing in 2030 Project, a future-focused initiative of the MLC. For details on more megatrends, industry trends and key themes for Manufacturing in 2030, download the MLC’s new white paper “The Next Phase of Digital Evolution.”

Business Operations

Rail Unions Move Closer to National Strike

Get the Latest News

Another large labor union has voted to reject the rail deal brokered in part by the Biden administration, moving the industry closer to a strike, according to CNBC.

Split decision: Two of the largest railroad labor unions in the United States went separate ways during their contract ratification votes, which were announced on Monday. The Sheet Metal, Air, Rail and Transportation Workers – Transportation Division voted against the proposed agreement by a slim margin, while the Brotherhood of Locomotive Engineers and Trainmen voted to ratify it.

What it means: This latest action raises the likelihood of a rail work stoppage in early December. In total, 8 of 12 unions have now ratified the tentative agreement concluded in September while the rank-and-file membership of 4 unions have rejected it.

  • Should one union choose to go on strike, the broad impact would cripple the national freight rail network.

The impact: The railroad industry and major shipping groups have found that a strike would likely cost around $2 billion per day, also according to CNBC. It would affect every major rail operator.

  • “The American Chemistry Council, which represents companies including 3M, Dow, Dupont, BP, Exxon Mobil and Eli Lilly, said a rail strike would impact approximately $2.8 billion in chemicals cargo a week, and lead to a GDP decline and renewed inflation.”
  • “Other industries, from agriculture to retail, have warned of the economic risks of a strike.”

Next steps: Negotiations will continue through a cooling-off period that runs until early December. If a deal is not reached by 12:01 a.m. EST on Dec. 5, a strike could occur. The NAM and others have urged Congress to take action under the Railway Labor Act and pass legislation that would avert a strike if railroads and rail unions cannot reach such a deal.

What we’re saying: “Manufacturers are disheartened by today’s news on the further unraveling of rail negotiations,” said NAM President and CEO Jay Timmons. “It’s clear that Congress, both Democrats and Republicans, must be prepared to work together immediately to avert a rail strike and prevent further damage to our supply chain.”

Business Operations

Talking Cybersecurity with NAM COO Todd Boppell

Get the Latest News

What should manufacturers know about cybersecurity threats? NAM COO Todd Boppell recently appeared on Mandiant’s “Defender’s Advantage Podcast” to explain how cyber criminals are targeting manufacturers today and what companies can do to protect themselves. Here’s some of his advice.

The threat today: While cyberthreats are nothing new, in recent years there has been a sea change, Boppell said.

  • “I think what’s really changed in the past five years, especially—it probably started in the past 10, but it’s massively accelerated—is that cybercrime as a business model is on the rise,” he said.
  • “A lot of the bad guys, whether their motivations are political or purely economic, have realized that ransomware and other forms of pure disruption are sometimes just as helpful or just as lucrative as stealing any sort of intellectual property.”

Manufacturing as a target: Manufacturers get victimized by ransomware attacks “because manufacturing is one of the least tolerant industries of any sort of downtime,” Boppell continued.

  • “Over the past five years, manufacturing was always in the top three [sectors targeted by cyber criminals], typically with medical and financial services … but really over the past 18 to 24 months, all the data I have seen says that manufacturing has jumped to number one and has stayed there.”

What small businesses need to know: Small businesses may believe that they are beneath notice for cyber criminals, but that’s not the case, said Boppell.

  • Once they come to terms with that depressing reality, small companies should take a look at their staff and operations, he said. “Do they have the talent on staff to understand what they should do, what their risks are, which systems they currently have that need to be addressed? Do they understand all the acronyms at play? Do they understand the different threat vectors?”
  • And last, once the company generally knows what it’s doing and perhaps has some IT support, it should consider its budget, and how it can “get the most bang for its buck.”

What large businesses need to know: “Larger companies want to be helpful, and they want to help secure their supply chain partners, because it is absolutely in their best interests. … However, they are unbelievably busy just protecting their own boundaries and just worrying about all the attacks they’re facing,” Boppell said.

  • “And of course, it’s always a little bit frustrating for smaller companies to have a larger company try to tell them what to do … so you have to really manage those relationships and figure out the right way to go in and help.”

The most important thing: “The number-one thing I’m trying to get through, and the number-one myth I want to dispel, is that a lot of small manufacturers believe that … they have no IP to protect,” said Boppell. “Maybe they make screws and fasteners, or maybe they make mattresses or whatever. … They feel like cyber is not a big deal for them.”

  • “What we’ve seen with ransomware is that’s absolutely not true. Their ransomware risk is just as high as anyone else’s because they can’t tolerate downtime. And if they haven’t taken the steps to secure their networks and their equipment, then they’re going to be even more prone to falling victim to ransomware.”

Listen to the whole thing: You can find the entire interview with Boppell here.

Protect yourself: Interested in safeguarding your company? NAM Cyber Cover was designed specifically to give manufacturers and their supply chains enhanced risk mitigation and protection. Find out more here, and check out this webinar on the state of cybersecurity for manufacturers.

Business Operations

Fostering a Diverse, Inclusive Culture at Smithfield

Get the Latest News

When it comes to diversity and inclusion, Smithfield Foods puts its commitments into action.

The world’s largest pork processor has committed to measurable increases—of 35% and 30%, respectively—in the hiring and promotion of women and individuals in underrepresented groups. And it’s pledged to do it all by 2030.

Bridging a gap: In September 2020, the Virginia-headquartered manufacturer launched its Operations Leadership Program, created to develop a strong pipeline of diverse talent to fill future management roles.

  • “We lead with data. And our data shows there’s a gap in diverse representation between production and management,” said Smithfield Foods Manager of Diversity, Equity & Inclusion Jessica Jones. “The OLP provided us an opportunity to track data on team members, their promotion opportunities, how they’re elevating within the company with a commitment to monitor year-over-year data three years after program completion for each cohort.”
  • In just over two years, the program, which garners participants through applications, has seen 132 graduates and nearly 50 promotions.

Providing encouragement: Ironically, many of the same employees the OLP was designed to help were initially reluctant to apply, Jones said.

  • “We did focus groups and what we realized is, those who weren’t applying were women and people of color,” she said. “They shared, ‘I don’t think it’s for me,’ and when we heard that, we realized it meant, ‘I never saw myself going higher than my current opportunity.’”
  • Smithfield’s leadership began to strategically target their communications to specifically focus on these employees and encourage them to consider the program. “That’s when we started to see the uptick in more women and people of color applying,” Jones said.

Other D&I initiatives: To reach its lofty 2030 diversity and inclusion goals, Smithfield has deployed other programs, too, including the following:

  • Smithfield’s Farmer Diversity Program, which aims to increase the number of Black and minority hog farmers in the company’s supply chain;
  • A Future Leaders Program that gives scholarships and career opportunities to rising high school seniors through summer internships to increase diversity in leadership;
  • An expansion of the Smithfield Foods Scholarship Program for eligible dependents of Smithfield employees so that it includes historically Black colleges and universities; and,
  • A supply-chain initiative in which the company has committed to increasing its production-facility spend with minority-owned businesses by 14% by 2025.

The company has also signed NAM’s Pledge for Action, in which manufacturers commit to 50,000 specific actions to increase diversity and inclusion. 

The last word: “I have seen this company change and evolve in such a wonderful way,” Jones said. “We now have opportunities to elevate and expose our employee base to Smithfield’s leadership—making sure they have a touch point, a way to connect. Our leadership wants to know how they are doing, prevalent challenges and support needed. The change has been so encouraging.”

Business Operations

“Cybersecurity Finds You”: An Interview with Rockwell Automation’s CISO

Get the Latest News

When asked how she got into cybersecurity, Nicole Darden Ford replies “cybersecurity kind of finds you.” The new chief information security officer at Rockwell Automation began her career in the military, where she first got into cybersecurity, then created a cybersecurity program for the U.S. Department of Agriculture before taking several leadership roles in the private sector.

Today, her advice for companies is surprisingly similar: cyberattacks will find you. As she puts it, “It’s not if, it’s when. And it’s not one time, it’s several.”

So how should manufacturers prepare for these threats? We spoke to Darden Ford recently about her recommendations, as well as Rockwell’s efforts to safeguard its own supply chain and provide services to other companies.

The current situation: “Manufacturers account for 65% of industrial ransomware last year. We’ve seen an unprecedented number of attacks, and we’ve seen attackers focus on OT,” Darden Ford says. She predicts the attacks on OT will only escalate.

  • Meanwhile, many manufacturers have a clear strategy for IT, but they have not given as much thought to protecting their operational technology. Yet, as machines get more connected, their operations may become more vulnerable—especially as companies try to integrate legacy systems that weren’t “meant to be connected or patched.”
  • In addition, “because we are so connected, there are third-party risks,” Darden Ford says. Small manufacturers may be more inviting targets for hackers than they realize, since their systems could provide a back door into the networks of their larger clients.
  • On the plus side, manufacturers are getting smarter in building their defenses, she says. And that’s where Rockwell comes in.

Rockwell’s role: Rockwell aspires to become a “trusted advisor” to companies seeking cyber defenses, says Darden Ford. It already manufactured OT, so moving into cybersecurity for such equipment was a natural next step.

  • Its partnerships with other firms, including Dragos, CrowdStrike, Cisco and others, allows Rockwell to offer bespoke cyber monitoring and other services to its clients.
  • These services include penetration testing, threat detection and response and an OT “SOC”—i.e., a security operations center, which monitors threats to clients’ operations remotely.

How it works: “We have an OT cybersecurity roadmap—it starts with an assessment in your specific OT space, then walks through potential risks,” Darden Ford says. (See the end of this article for her detailed description of this roadmap.)

  • The process includes building an “asset inventory, as you can’t protect what you don’t know.”
  • “Then we talk about ways you can reduce your attack surface,” Darden Ford continues. “This is about segmentation. We help organizations divide their network into different domains. If you have ransomware or malware that propagates very quickly, then you have the opportunity to quarantine it.”
  • In addition, the roadmap helps companies decide which tools and resources to use. For OT, you need to use very passive systems that don’t interfere with “getting the product out the door,” Darden Ford says.

After this process is complete, Rockwell’s SOC helps clients stay safe and hone their responses to real attacks.

  • The SOC keeps eyes on a company’s operations remotely, notifies it of breaches within the plant network and helps it decide which threats to tackle. As Darden Ford says, the SOC stands in for the teams that companies would otherwise have to hire themselves.

On-site resources: Manufacturers can tap their existing staff to work on cyber defenses, including with offsite monitors. Darden Ford recommends drafting “the plant engineering team, along with the IT team,” who would have the knowledge and resources required.

A community effort: Large manufacturers should help educate small manufacturers on cyber issues, says Darden Ford.

  • “We have a lot of suppliers, so to mitigate third-party risk, we provide more awareness about OT and advice about upping their cyber hygiene. We work closely with suppliers and do a lot of knowledge sharing,” she says.

Collaboration at the top: In addition, it’s also beneficial for CISOs and manufacturing leaders to consult their peers in what Darden Ford calls “mastermind sessions.”

  • These conversations have provided her with “a lot of insights and data,” she says. She gets indispensable input on “strategies, frameworks, journeys and roadmaps,” as companies try to find their way through this cyber landscape together.

The bottom line: When asked what she says to companies that doubt the need for cyber protections, Darden Ford has a simple answer: “You wouldn’t drive your car without insurance—that’s what this is.”

  • “What used to be optional is becoming mandatory,” she adds. “For small or midsize companies, you are still going to have to report” back to your large customers, many of whom require stringent protections of their suppliers. Those requirements will only get “more and more rigorous over time,” she warns.
  • In other words, however you choose to do it, “you need a plan.”

 

The Roadmap

Darden Ford supplied us with her account of Rockwell’s cyber roadmap for its own suppliers, below. “The playbook aligns with the NIST framework, showing you step-by-step how to audit your current security state, identify gaps and take a proactive approach to mitigate risk,” she says. Here is her account of the key steps.

Step #1: Discover 

  • Know where you stand. Conduct a security and risk assessment—log all issues and review progress against findings.
  • You can’t protect what you can’t see. You must gain a full understanding of what network assets you have on your plant floor and their current state. Start by conducting extensive network discovery and asset inventory.

 Step #2: Remediate 

  • Work with stakeholders to prioritize assets and organizational risk levels. Take the necessary steps to eliminate, upgrade or replace unneeded, unused or unsupported OT applications and infrastructure. This will look different for every organization based on what you discover in Step #1.

 Step #3: Isolate 

  • Establish a perimeter by physically and logically segmenting your networks. Put up a firewall and establish internal and external cybersecurity policies to protect your OT assets. Set up an on-premises industrial data center to encapsulate critical applications inside the protected OT network.
  • Secure endpoints with security software on plant floor assets.
  • Enable third-party remote access. Third parties need access, but you must control the access and maintain visibility into what they’re doing in your network by enabling OT access controls. 

Step #4: Monitor and Respond 

  • Now that you have a solid foundation in place, the next step is to implement OT network monitoring to provide real-time OT cybersecurity, including malicious event/asset risk alerting, network diagnostics, AI learning and KPI dashboarding. The data only works for you if you are continuously viewing and reacting to it.
  • Establish an OT SOC for 24/7 real-time alert monitoring​, acknowledgement and triage​. Cyberattacks aren’t limited to 9–5.
  • Create an integrated IT/OT cyber event response team. Define event response and isolation protocols. IT/OT must have equal involvement and buy-in for these protocols to be successful. Execute tabletop exercises to simulate attacks and outcomes.
View More