MAY-JUN 2019

Issue link:

Contents of this Issue


Page 43 of 55

I was fortunate to have the opportunity to talk with Dawn Cappelli, an experienced and accomplished cybersecurity expert, who shared her advice on building cybersecure manufacturing organizations. Cappelli is vice president, global security, and chief information security officer at Rockwell Automation. Before coming to Rockwell, she was founder and director of Carnegie Mellon's CERT Insider Threat Center. Cappelli is recognized as one of the world's leaders in insider threat mitigation and has worked with government and industry leaders on national strategy issues. Cappelli is a certified information systems security professional (CISSP), and she has a BS in computer science and mathematics from the University of Pittsburgh. Cappelli came to Rockwell Automation in 2013 as director, insider risk, and built the company's insider risk program. Her team is responsible for protecting Rockwell Automation and its ecosystem of customers, suppliers, distributors, and partners from the ever-changing global cyber- threat landscape. I asked Cappelli what first steps a manufacturing company should take on the journey to achieve cybersecurity protection. She shared her experience, insights, and recommendations for creating a com- prehensive industrial cybersecure manufacturing organization. The first step a manufacturer should take is to de- termine the leader of the cybersecurity effort. Cappelli noted that many manufacturing companies already have a chief information security officer (CISO) re- sponsible for information technology (IT) security, but traditionally operational technology (OT) security has been the responsibility of the OT engineers. "People are realizing now, due to the convergence of IT and OT, that it's important to have one security leader re- sponsible for all cybersecurity for the company." This is someone who can work with both IT and OT to build and execute a holistic cybersecurity strategy that encompasses the entire ecosystem of not only IT and OT, but also of all external connections, including third parties and the supply chain. 44 INTECH MAY/JUNE 2019 WWW.ISA.ORG ABOUT THE AUTHOR Bill Lydon (blydon@isa. org) is an InTech con- tributing editor with more than 25 years of industry experience. Cappelli described the industry trend of CISOs being given responsibility and/or accountability for all cybersecurity for the company. One reason why is that cybersecurity in IT is significantly more mature than in OT, and someone with IT security experience understands how to methodically build the cybersecurity program across the organization using a risk-based approach. One of the challenges is building a cross-function- al team including both IT and OT, since tradition- ally they have not worked closely together. Cappelli recommends using the NIST Cybersecurity Frame- work (NIST CSF) ( as a tool to deploy a focused process and involve all parties. The framework helps to identify gaps in cybersecurity strategy and becomes the blueprint for risk assessment. Bringing together cross-func - tional personnel consisting of IT and OT experts, plant experts, and plant engineers using the NIST CSF focuses the activity and fosters team building based on shared goals. This process for building the strategy creates a shared vision and understanding of all stakeholders' challenges and ongoing positive working relationships. An important part of this process is prioritizing cybersecurity efforts based on risk. This helps com- panies prioritize investments, because it is typically impractical to do everything at once. I asked Cappelli for any tips based on her expe- rience building the Rockwell Automation program over the past few years. She suggests starting first in the IT group to "get your feet wet" if you have not yet used the NIST CSF, then use the NIST CSF Manufacturing Profile to create your manufactur- ing security strategy. Also, the NIST CSF helps to identify some quick wins for the manufacturing environment, like ongoing communications to maintain security awareness among plant per - sonnel. Rockwell Automation has done this with a monthly cybersecurity awareness bulletin to re- inforce topics like the importance of physical se- curity, social engineering, not sharing passwords, and safely using USBs. ■ executive corner | Tips and Strategies for Managers Building a cybersecure manufacturing strategy By Bill Lydon RESOURCES NIST Cybersecurity Framework cyberframework ISA Cybersecurity Resources topics/cybersecurity/ cybersecurity-resources "People are realizing now, due to the convergence of IT and OT, that it's important to have one security leader responsible for all cybersecurity for the company." —Dawn Cappelli

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - MAY-JUN 2019