On September 6th, 2017, Anders Norremo, CEO of ThirdPartyTrust, moderated a panel of manufacturing experts on the topic of CyberSecurity & Manufacturing in the Digital Era at the OnRamp Conference in Milwaukee, WI.
Panelists included Chris Merkel, CISO of Brunswick Corp; David McPhee, the Regional Information Security Manager at Caterpillar; Michael Goetzman, CISO at Master Lock; and Steve Brukbacher, the Application Security Manager at Johnson Controls.
What is at the forefront, right now regarding cybersecurity and manufacturing?
David McPhee says his biggest challenge and concern is taking their organization's security to the next level by making sure every device is secure. This includes not only being reactive after a breach happens, but also preparing for what could happen in the future. Chris Merkel agrees with the latter, and adds that he is always thinking about what could be the weakest link to get to the data (both financial info and intellectual property) and what information is making it's way through third parties.
Merkel also voices that disruption in the ecosystem is always top of mind.
"As more organizations network, more interconnectedness is created where more areas can fail. If the interconnectedness of systems is not managed well, it can cascade into manufacturing, resulting in lost work days. It's not just attacks from a malicious actor, it's the disruption that comes from the complexity of interdependence."
What is the biggest misconception people have when it comes to cybersecurity?
"There is a misnomer that [cybersecurity] is just an IT department problem -- the reality is that a cyber threat effects everyone in the organization so it is important for everyone to be educated" says McPhee.
The other panelists are in consensis, echoing that part of their approach has been bringing facility and IT folks together because both have a stake if the systems go down.
With the traditional supply chain becoming increasingly more digital, how does this affect your job?
Brukbacher states it's important to work with your partners to get to a better place, and having security requirements written initially into contracts will save a lot of trouble down the road. Goetzman of Master Lock notes that security is not a consistent state -- cybersecurity is constantly evolving, so ten years from now it will be different. "It's important to stay educated and be an advocate on security" adds McPhee.
What are some good tips for raising cyber awareness inside manufacturing companies?
All companies seem to be on the same page recommending creating employee awareness around security and exciting staff so they become more interested in the topic. "If people are interested, they'll start making more logical decisions , like thinking about things before clicking on it, which means less work later". McPhee notes that Caterpillar has created an ambassador program for individuals who are particularly interested in this area, having them be advocates on educating their peers.
Cyber risk management in the manufacturing is not too far off from other industries. Employee awareness, the right tools to mitigate exposure and a plan seem to be at the top of the list to minimize risk exposure caused by vendors. Connected devices seemed to topic of concern amongst panelists and industry professionals and if you want to learn more, check out "Who Will be in Charge of IoT Security" blog.