Manufacturing security is the new frontier

Dawn Cappelli, vice president, global security, and CISO at Rockwell Automation

What happens when information technology (IT) and operational technology (OT) converge? What role does culture play, and where are we going to have to make it work in global security? Those are questions IT leader Dawn Cappelli talks about in our interview this week.

Cappelli is vice president of global security and the chief information security officer (CISO) at Rockwell Automation, a Fortune 500 company in the business of provider of industrial automation and information technology. She’s responsible for securing over 23,000 employees, thousands of contractors and more than 100 locations around the world. She also founded and directed the CERT Insider Threat Center at Carnegie Mellon University’s Software Engineering Institute.

What’s the biggest tech win internally that you’ve overseen in the last 24 months?

Cappelli: Well, we all know that SolarWinds happened a year ago. [In early 2020, hackers found their way into SolarWind’s systems and added malicious code into the company’s software system. The code created a backdoor to customer’s IT systems, creating an opportunity for spying via even more hacking into other companies and organizations.]

And, because of SolarWinds, supply chain security really came into view, as the industry began to ask, ‘What are we going to do?’ As an industry, we understand that our own products needed to be secure, but the conversation inside Rockwell actually began back in 2017 that we needed to protect our products for our consumers through requirements that our software vendors in the product supply chain also be reviewed.

What did the change in 2017 look like?

Cappelli: We had a third-party risk management plan and group in place for many years by 2017, but now we had to do it for our software vendors. This included open-source software, and all of our software suppliers. Even in 2017, we realized that we needed to look at the software development lifecycle (SDLC) needs across our company to have a secure development environment.

Then we began a whole new process, because a lot of the companies supporting us didn’t have the same secure development lifecycle approach underway. We ran pilots. So by the time the issues of the SolarWinds attack heightened the need, we were ahead of the game compared to other companies in IT. It is unusual for OT to be ahead of IT. We had to push security down into the supply side. Every year, our team works on the certifications for industrial control systems — IEC 62443 standards — so this contributed to us being ahead.

Then ​The President’s Executive Order on ‘Improving the Nation’s Cybersecurity (14028)’ was issued on May 12, 2021.

Cappelli: That charged multiple federal agencies with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chainBy being ready, the enterprise must be looking at the language in its contracts and in doing assessments of its software development vendors.

SolarWinds was an important industry lesson. It taught us the importance of looking at SDLC, implementing zero trust and MFA-security controls now imposed on the supply chain. We have a chief product security officer as the lead on SDLC risk management.

How important is team culture to getting tasks completed in today’s tech environments?

Cappelli: Culture is an important driver in our company. We are holding cultural workshops in a series to make sure that our teams are staying connected during the pandemic and remote work. We ask managers to be real with their employees and ask questions in virtual water cooler sessions about how they’re doing and what suggestions they have for others during this time.

During the BLM protests, we talked about diversity, equity and inclusion (DEI) issues and let people say whatever they wanted to say. We put emphasis on not just diversity, but also inclusion. We have a DEI officer, but we are going beyond the conversations others may be having in their workplaces. One of our over-reaching goals has been to make sure that our overseas employees and those that would normally be in an office feel connected.

As a tech leader, what key counsel can you offer to a new CISO coming into a tech-growth company?

Cappelli: I will be retiring in January, and as we look for the next CISO, the company will be looking at how we are transforming into a cloud company. So the skills to move us forward are different. We are now expecting new releases constantly. However, that wasn’t the case when we were just concerned with PCIs. A new CISO will have to be in touch with understanding our customers and put an emphasis on DevSecOps. We must continually talk to our customers about security.

The new frontier to conquer is manufacturing security. IT and OT have not traditionally worked together, so now manufacturing is connecting to IT — real-time connections to the ERP system, for example. So security threats are into OT, like phishing issues — they now can move from IT to OT. The answer in the industry is that OT and IT must work together. There’s been a cultural barrier, and OT has been much less mature. The same tools will come into play, and we must modify the way we do things.

What’s the biggest task for new CISOs to learn?

New CISOs need to know that they can’t be security purists. They will not succeed. You have to come to the business balancing security and productivity. It’s really all about the business and securing it as we need to.