“Cybersecurity Finds You”: An Interview with Rockwell Automation’s CISO
When asked how she got into cybersecurity, Nicole Darden Ford replies “cybersecurity kind of finds you.” The new chief information security officer at Rockwell Automation began her career in the military, where she first got into cybersecurity, then created a cybersecurity program for the U.S. Department of Agriculture before taking several leadership roles in the private sector.
Today, her advice for companies is surprisingly similar: cyberattacks will find you. As she puts it, “It’s not if, it’s when. And it’s not one time, it’s several.”
So how should manufacturers prepare for these threats? We spoke to Darden Ford recently about her recommendations, as well as Rockwell’s efforts to safeguard its own supply chain and provide services to other companies.
The current situation: “Manufacturers account for 65% of industrial ransomware last year. We’ve seen an unprecedented number of attacks, and we’ve seen attackers focus on OT,” Darden Ford says. She predicts the attacks on OT will only escalate.
- Meanwhile, many manufacturers have a clear strategy for IT, but they have not given as much thought to protecting their operational technology. Yet, as machines get more connected, their operations may become more vulnerable—especially as companies try to integrate legacy systems that weren’t “meant to be connected or patched.”
- In addition, “because we are so connected, there are third-party risks,” Darden Ford says. Small manufacturers may be more inviting targets for hackers than they realize, since their systems could provide a back door into the networks of their larger clients.
- On the plus side, manufacturers are getting smarter in building their defenses, she says. And that’s where Rockwell comes in.
Rockwell’s role: Rockwell aspires to become a “trusted advisor” to companies seeking cyber defenses, says Darden Ford. It already manufactured OT, so moving into cybersecurity for such equipment was a natural next step.
- Its partnerships with other firms, including Dragos, CrowdStrike, Cisco and others, allows Rockwell to offer bespoke cyber monitoring and other services to its clients.
- These services include penetration testing, threat detection and response and an OT “SOC”—i.e., a security operations center, which monitors threats to clients’ operations remotely.
How it works: “We have an OT cybersecurity roadmap—it starts with an assessment in your specific OT space, then walks through potential risks,” Darden Ford says. (See the end of this article for her detailed description of this roadmap.)
- The process includes building an “asset inventory, as you can’t protect what you don’t know.”
- “Then we talk about ways you can reduce your attack surface,” Darden Ford continues. “This is about segmentation. We help organizations divide their network into different domains. If you have ransomware or malware that propagates very quickly, then you have the opportunity to quarantine it.”
- In addition, the roadmap helps companies decide which tools and resources to use. For OT, you need to use very passive systems that don’t interfere with “getting the product out the door,” Darden Ford says.
After this process is complete, Rockwell’s SOC helps clients stay safe and hone their responses to real attacks.
- The SOC keeps eyes on a company’s operations remotely, notifies it of breaches within the plant network and helps it decide which threats to tackle. As Darden Ford says, the SOC stands in for the teams that companies would otherwise have to hire themselves.
On-site resources: Manufacturers can tap their existing staff to work on cyber defenses, including with offsite monitors. Darden Ford recommends drafting “the plant engineering team, along with the IT team,” who would have the knowledge and resources required.
A community effort: Large manufacturers should help educate small manufacturers on cyber issues, says Darden Ford.
- “We have a lot of suppliers, so to mitigate third-party risk, we provide more awareness about OT and advice about upping their cyber hygiene. We work closely with suppliers and do a lot of knowledge sharing,” she says.
Collaboration at the top: In addition, it’s also beneficial for CISOs and manufacturing leaders to consult their peers in what Darden Ford calls “mastermind sessions.”
- These conversations have provided her with “a lot of insights and data,” she says. She gets indispensable input on “strategies, frameworks, journeys and roadmaps,” as companies try to find their way through this cyber landscape together.
The bottom line: When asked what she says to companies that doubt the need for cyber protections, Darden Ford has a simple answer: “You wouldn’t drive your car without insurance—that’s what this is.”
- “What used to be optional is becoming mandatory,” she adds. “For small or midsize companies, you are still going to have to report” back to your large customers, many of whom require stringent protections of their suppliers. Those requirements will only get “more and more rigorous over time,” she warns.
- In other words, however you choose to do it, “you need a plan.”
The Roadmap
Darden Ford supplied us with her account of Rockwell’s cyber roadmap for its own suppliers, below. “The playbook aligns with the NIST framework, showing you step-by-step how to audit your current security state, identify gaps and take a proactive approach to mitigate risk,” she says. Here is her account of the key steps.
Step #1: Discover
- Know where you stand. Conduct a security and risk assessment—log all issues and review progress against findings.
- You can’t protect what you can’t see. You must gain a full understanding of what network assets you have on your plant floor and their current state. Start by conducting extensive network discovery and asset inventory.
Step #2: Remediate
- Work with stakeholders to prioritize assets and organizational risk levels. Take the necessary steps to eliminate, upgrade or replace unneeded, unused or unsupported OT applications and infrastructure. This will look different for every organization based on what you discover in Step #1.
Step #3: Isolate
- Establish a perimeter by physically and logically segmenting your networks. Put up a firewall and establish internal and external cybersecurity policies to protect your OT assets. Set up an on-premises industrial data center to encapsulate critical applications inside the protected OT network.
- Secure endpoints with security software on plant floor assets.
- Enable third-party remote access. Third parties need access, but you must control the access and maintain visibility into what they’re doing in your network by enabling OT access controls.
Step #4: Monitor and Respond
- Now that you have a solid foundation in place, the next step is to implement OT network monitoring to provide real-time OT cybersecurity, including malicious event/asset risk alerting, network diagnostics, AI learning and KPI dashboarding. The data only works for you if you are continuously viewing and reacting to it.
- Establish an OT SOC for 24/7 real-time alert monitoring, acknowledgement and triage. Cyberattacks aren’t limited to 9–5.
- Create an integrated IT/OT cyber event response team. Define event response and isolation protocols. IT/OT must have equal involvement and buy-in for these protocols to be successful. Execute tabletop exercises to simulate attacks and outcomes.