[00:00:00] Speaker A: You could say backing of data is rather boring. But you know, I'll tell you something, that boring type of task has probably saved a lot of companies from the headache and from the loss, and not only just the loss here, but the public image. Right. Because I don't think many people recognize the fact that when you lose your data, it's public knowledge and it has to be reported out. So I think there is a whole ripple effect that happens when people just simply don't do the boring type of tasks that can really impact and serve as a detriment to their company in the long run.
[00:00:38] Speaker B: This is kbcazi for ransomware campaigns, security and testing and performance, risk and compliance. We can actually automatically take that data and use it.
Joining me today is Imran Hussain, global Chief Internet Information Security Officer at Miller Knoll. And today we're discussing cybersecurity threats in the manufacturing world. So Imran, thanks for joining and welcome.
[00:01:04] Speaker A: Thanks Carissa. Thank you for having me.
[00:01:06] Speaker B: Okay, so this is really interesting. Just before we started I said I've never really done an interview in 300 plus in manufacturing. Take us through a little bit of history. Let's go back in time.
Walk us through what does that look like in terms of the manufacturing space? Tell us everything.
[00:01:23] Speaker A: Yeah, so manufacturing is one of those industries that really didn't come to terms with technology and the advancement of IT due to the fact that most of what we see within manufacturing is manual based. Right. So we're talking about levers, we're talking about pull shifts, we're talking about regards to systems. They're all within the world of manufacturing. So industrial control systems, software devices, this stuff doesn't bridge over to information technology, which is what most companies have within their respective environments is technology environments. You know what those are? Laptops, routers, network devices, everything sounds familiar for us. So manufacturing was always isolated away from that until we started to realize that they were starting to gain some traction with something called IoT. Right. So IoT is the Internet of things.
And the Internet of things really changed the landscape for manufacturing because what it did is that it took those devices that I just mentioned within the manufacturing world and it converted it over online. And so those types of pulleys and shifts and levers that you needed to actually manually press no longer was needed because you could do a lot of those things remote. And as that technologies tended to increase, the manufacturing world became much more technological in their view, in their perspective, in terms of how to be more cost effective and efficient. What happened though as a result Is that most, though not all, but most, did not think about the issues when it comes to cyber attacks. So, and I'll explain that in just a second. Because of the fact that there's many manufacturing plants that use actually black box or external vendors to go ahead and supplement their systems, whether with upgrades or version controls or whatnot, you needed to go ahead and create an Internet connection into those respective systems. The problem was is that they did not go ahead and forecast the different types of threat attacks that could happen as a result of these open Internet connections into manufacturing plants. Taking us all the way now up to 2010, that's when the first recognized cyber attack happened on a manufacturing plant. And perhaps some of your listeners are familiar with Stuxnet, which is that computer worm that went ahead and attacked the uranium enrichment facility in Iran, and they targeted Siemens industrial control systems. So that was the first known impact to the actual manufacturing plant done digitally. Right. Which caused physical damage, which had issues to the nuclear program that Iran had. And then of course, the significance to that was the fact that this industrial equipment completely failed on them. That was the very first one, as we know. And now as we continue to go down the path in terms of understanding exactly the other different types of attacks, the one which is the most known, the ransomware attack, again, the first one being in 2019 against the Norwegian aluminum manufacturer known as Norse Hydrogen. We have now re shaped our view in terms of what cyber can do, cyber attacks can do within the manufacturing world. So it's a very, very serious issue. It's become something which has been on the uptick. Right. I believe there was a few statistics, most notably from Dragos, which is one of these OT industrial consulting firms, that noted that there was about a 60% rise in ransomware groups affecting OT and ICS, which are operational technology and industrial systems, in 2024. So that's huge.
And at this point, I don't see that going down. It's probably continue to go up as we see more manufacturing plants go online.
[00:05:14] Speaker B: Wow, that's excellent. I think this is. This is really interesting. I want to go back to the Norse Hydro. So from my understanding, when that occurred, apparently their share price went up because typically you'd think, oh, it'd go down, but it went up. So I don't know how closely you followed that, but I think it's how they handled it, which is rare in comparison, especially here in Australia. We've had a lot of breaches and people just aren't handling them very well.
So do you find that Interesting though, that that's probably a very rare case that I've seen someone's share price go up after an incident.
[00:05:46] Speaker A: Yeah, you know, it is unique, but I don't think it's so exceptional. And I'll tell you why.
Because of the fact that we are seeing manufacturing plants trying to invest cybersecurity programs within their manufacturing, or to a larger degree, their operational technology environment, which includes manufacturing and supply chain. The fact that they can go ahead and become more resilient has a lot to do in terms of the significance to their stock and to their revenue. So as an example, if an attack were to occur at a manufacturing plant, you can take the approach by saying all manufacturing plants are going to get hit one time or another. But the key difference between one plant to another is the resilience and the recovery time in terms of how fast their systems are restored. That's the first part. The second part to all of this. And again, your listeners probably know this, but normally ransomware attacks are successful because data is not backed up. And in this case with regards to Norse Hydro, if the data had been backed up, which I believe it was, then that is a significant barrier in a significant way to view how this company rebounded from such an attack. Now, let's be very clear. There was a still significant loss for Norsk Hydro. I believe it was 70 million plus. But that being said, the stock shares and the way that people saw that from a public relations perspective really didn't impact the company as much as other people may have expected.
[00:07:25] Speaker B: Okay, so there's a couple of things in there you say, which is really interesting, that I want to get into. You said about being more resilient. As you know, everyone in industry is going to, oh, we got to be resilient. More resilient, right. What do you think that means to you, given your role in the industry that you work in day to day?
[00:07:41] Speaker A: So cyber resilience is a term that people within the cyber world know about. Right. It resilience basically means how fast you're able to, number one, withstand any type of attack. Right. So when you see the attacks do come in, when you notice an incident that's taking place, the preparation to resist it is very critical. In other words, how do you go ahead and contain. How do you go ahead and mitigate that sizable impact? Right. There's a term called blast radius. Blast radius basically means with the network, if some. If an attack were to occur, how deep within that network can it impact? Can it also impact your ERP systems? Can Impact your operational systems, can it impact any system that is going to have a significant revenue loss to the company? So when you look at it from that perspective, right, Resilience is all about how to respond and contain and then mitigate. So when we're talking about that in manufacturing, it's really the same application. You're trying to go ahead and isolate what you would consider as the attack.
You're trying to go ahead, limit the blast radius, you're trying to make sure that your most significant in your critical assets are impacted. And then more importantly, you're trying to figure out exactly how to not go through that again.
So resilience comes in in different packages, but it all leads up to the same path, which is maintaining the amount of impact that that respective cyber attack can have within your environment.
[00:09:16] Speaker B: So then, speaking of impact, moving to what you said before, around how fast can company systems be restored? Now this is so interesting. So I was reading, there was a report that I was reading recently all about this.
People are saying days, weeks, months.
So if you look at about in a manufacturing sort of capacity, when these things are running like 24 by 7, not to, you know, be restored for months, that's crazy. So do you have any sort of insight around how quickly we can be restored in terms of the manufacturing space? It's not like it's an office, it's nine to five and then, you know, there's a whole bunch of hours people aren't operating. But in businesses like yours, that even has more impact because it's always on.
[00:10:02] Speaker A: Yeah, you know, I think it's really about the type of attack that can occur. And I think, and I don't like to necessarily categorize attacks because all of them are bad, I mean, but some are technically less than others. And I'll kind of give you some examples when we talk about an attack, right, like phishing, a phishing attack could happen, but the resolution to it is probably a lot less, probably hours, maximum few days to recover from a phishing attack because there are tools in place. People nowadays have better technology, they have better alerts, better monitoring to go ahead and respond against attack of that nature. But if we talk about something like DDoS attack, that could perhaps take a little bit more time if not mitigated. And a DDoS attack basically brings down your systems. It takes time to recover because of the lack of bandwidth. We keep going up that ladder to a point like zero day exploit, which can have a significant, tremendous impact on your environment. And that can be anywhere from weeks to months. And it doesn't matter if it's within it or ot. It's the fact that the complexity of that type of attack is just going to take debt much longer. So it's hard to go ahead and say the recovery time, whether you're 24 hours. We tend to gravitate more towards business continuity and disaster recovery from that perspective. And obviously there is a fine line between cybersecurity and Dr. And business continuity. But the fact is is that it's hard to kind of gauge. But if you look at it from that type of ladder, I kind of gave you the examples with you're going to get a better understanding in terms of what you can resolve quicker and what's probably going to take longer.
[00:11:45] Speaker B: Okay, so then I want to move into. You said before data is not backed up. I hear this a lot. I'm having lots of conversations on the podcast in the media space around people just aren't doing it. Why would you say companies just don't do it? Do they forget about it. It's they got other things to do on their to do list. It gets relegated. What are your insights?
[00:12:07] Speaker A: Yeah, you know, the fact is, is that it's expensive when you think about backing up your data. You think about critical data and everybody's got their own interpretation of critical data. But for the most part it's usually sensitive data patents, anything of legality, anything of compliance, maybe cardholder information or patient information.
Regardless of what that sensitive data is, it's expensive to go ahead and back up. And there's two ways that you could look at it, right? You have your on prem devices or your on prem servers which many companies still use. Not everybod on the cloud just yet. But that costs money to back up. And normally it becomes more expensive when you're doing it manually and you're. You're backing it up on tapes and you're sending it to some type of safe repository warehouse to go ahead and keep in case you would ever need it again. You also have the on prem backing up to cloud which is much more cost effective but at the same time it's still a process and it still costs dollars to go ahead and back up. When looking at it from a cost perspective, it's certainly a glaring red flag that you're going to have to allocate so much money towards it. But the other part to it is kind of what you hit on Karissa, which is people tend to forget. People don't think about it as being something that needs to be important because when do you ever really go back to your data? A lot of times people just back up data because there's some type of compliance or privacy law which says you need to back up your data for seven years. But nobody thinks about if we were ever attacked from a ransomware, would we ever be able to go ahead and pull that data back? But the fact is, is that it's extremely critical because there's customer data which is on there. A lot of times it's in a structured format coming from databases. And that in itself is priceless. Like you can't necessarily replace that if you were having to build that from scratch.
So what happens as a result is these ransomware attackers know this and they'll go after these companies who more or less probably don't take it as seriously. What then happens is that you'll have to pay. And in many cases companies do pay. But the unfortunate part to all of this is that when they do receive their data back, it's normally not ever in the same pure state that it, that they, that they were ransomware in. And so what happens is that now your data is contaminated and the work still has to be completed in terms of restructuring that data in itself. So again, it's extremely important, especially within the manufacturing world, to back up data as it pertains to sensors and unique devices within that topology to make sure that if ever needed, you can always go back to it to allow your operational systems to run like they should be.
[00:14:51] Speaker B: Okay, I want to get into this a little bit more. So let's go back in timeline. Do you remember, I mean, Imax banking and finance, there was probably around 20, 2014, 2013. We were literally collecting every piece of data that we could with anyone to be able to sell them stuff. Right now it's like, oh, we got to get rid of all this information because we don't want it. Because especially you're in Australia, you hold that information, you get breach, you get a massive fine. So people are now trying to shed that data. The other thing that I've been speaking to, so I spoke to the, I think the Chief Evangelist for NetApp spoke about like 80% of this data that we have backed up people not even using. Anyway, to your previous point, no one remembers, I don't need it unless there is already ransomware attack, etc. So where do you think we are in terms of. We went through a stage of collecting every piece of information to, oh, wow, now we have a lot of data on people we need to get rid of because we're holding too much PII and we are not even leveraging all of this data. And to your point, it's really expensive in terms of people's mind, where are we sort of at? Are they trying to now classify where this data sits, what we need to get rid of, backup, etc. What are your thoughts?
[00:15:57] Speaker A: That's a million dollar question. It's hard to really kind of understand and quantify, much less qualify that data in terms of, number one, where it's at within a respective company, who has access to it, who is the custodian of it, and more importantly, do they need it. Right. So I think with different companies it tends to be, and I would even say companies, I think in different industries, you see the use of that data, whether it's relevant or not, kind of really being interpreted from those industrial perspectives. I think health care certainly has a stronghold to that in terms of the use of that data and also backing it up. I don't think necessarily they would be the ones who would want to shred it, quote unquote, and not utilize it. I would say that the data that is out there, I think we're becoming a little bit more specific and sensitive to what needs to be backed up and what needs to be stored and of course, why it's being used. And I think there's a couple of areas that drive us to that path in terms of why that data is important. The first and most obvious is the compliance and legality to it. So if there is again, data for various reasons that have a significant impact to your company, then you're going to need to store that data and you may have to reference back to it at any point. Here in the States we have Sarbanes, Oxley, that is a major driver when it comes to data, the user access to it and why it's being audited. Other areas such as cardholder information, the credit card which is being captured at respective companies has to be stored and tokenized. Right? Whereas in health care we've got patient health information or phi, where hospitals and clinics need to go ahead and back up that data. And not only just that data, but the diagnosis and research that comes for individuals who may be medically treated for specific types of diseases or whatnot. So I think there is a whole plethora of different ways to attempt to go ahead and categorize that data in terms of what's important or not. But to your point, I think there is other types of data that certainly isn't needed and doesn't need to be backed up. Taking this back full circle, are looking at now and talking to other people within my own CSO network is how do we go ahead and make sure that we are being very careful in terms of what we're backing up for the importance of it not just being cost effective, but understanding that that data is space and that takes up valuable time for us to manage.
[00:18:30] Speaker B: So before we move on, I have a question that I'm really curious to know. Do you think people of your caliber are waking up and going, I'm going to back up my data today?
[00:18:39] Speaker A: I think there are 20 other things on the list that we want to get to before we're even thinking about it in today's theso's age. You know, I could tell you I've been at plenty of conferences last year and I've been already to a few of them. Now we're talking about continuous monitoring and continuous pen testing and attack surface and we're talking about AI and how that's going to have an impact, not just the breadth of what AI can do to your company, but also how we prepare against AI social engineering attacks. Those are the things which are very critical to us. Nobody's really thinking about backing up data, even though I would probably put up the backing of data as high as some of those things because again, people just don't understand and especially people within technology simply don't quite grasp the importance of it until they're finally attacked. And then you realize, oh well, we didn't have this, and now this individual or this organized crime syndicate actually has their data. They're not going to give it back to us and loops we pay them. So it's a fine line to keep repeating, to keep crying wolf, because at some point the wolf is coming and we need to make sure that we are preaching to the, to the masses in terms of why that data is important for us to back up.
[00:19:54] Speaker B: So would you say there's a couple of things. What was coming to my mind as you were speaking would be again, it's not the most sexiest thing because then we're sort of perhaps bamboozled by all the other things that you just mentioned. It's a bit cooler, a little bit more interesting. Do you also think there's that point? The second point would be out of sight, out of mind. So we don't really think about it, we can't really see it necessarily day to day, so we forget about it. And the third thing is it's probably just not the most interesting thing in Comparison to everything else that's going on, like you mentioned.
[00:20:24] Speaker A: Yeah, absolutely. I mean, let's just cut to the chase. It's just not sexy, right? I mean, nobody thinks about it. It's not something that's going to dazzle your boss's eyes, much less the elt, the executive leadership, or even the board. Right. I mean, Greg, you backed up data, you know, good job. That just doesn't turn heads, right? What turns heads is your threat reports from your security stack and the different types of incidents you encounter and how you save the day and what monitoring is being scanning for or what's out there in the dark web that you were able to recover. Those are the type of things that you think about. I mean, in fact, you could say backing of data is rather boring. But, you know, I'll tell you something, that boring type of task has probably saved a lot of companies from the headache and from the loss. And not only just the loss here, Carissa, but the public image. Right? Because I don't think many people recognize the fact that when you lose your data, it's public knowledge and it has to be reported out. And it's even worse for publicly traded companies that have to report into the sec, because that's going to be out there and you don't want to wake up the next day after your company has been compromised and you've had to pay $10 million that it's going to be the headliner in the Wall Street Journal the next day. So I think there is a whole ripple effect that happens when people just simply don't do the boring type of tasks that can really impact and serve as a detriment to their company in the long run.
[00:21:53] Speaker B: So now I want to sort of switch gears and focus on your role and how companies like yours are securing their most critical ot operational technology sort of assets. Walk me through this.
[00:22:07] Speaker A: Yeah. So for us, the most important thing that we are, we have begun and we are happily starting to move in the direction of, is to really kind of understand our asset inventory within manufacturing. And the reason why it's so important is because as I mentioned earlier in our, in our conversation, the assets that you find within operational technology or manufacturing are not the same as information technology. And that kind of throws a spin at you. And the spin is this, how do you go ahead and assess it for security?
And more importantly, how do you assess it for what you can do to protect it for the long run? So as an example, there's a lot of legacy systems within manufacturing, right? Decades old Systems that are doing its thing. You don't want to go ahead and ruffle feathers, just let it do what it's doing. The problem is, is that there's no way you're going to apply a security agent or a monitoring control on those because of the fact that it may have a severe impact to that respective system.
So what do you do then? You're going to look at that network, you're going to look at its zone, you might look at its domains, and you're going to have to figure out a way to surround it with appropriate security controls. Easier said than done. So the classification and the tagging of what those assets are, the understanding of how it works, its impact, its vitality within the network is certainly important. That's what you're going to capture first and foremost in your asset inventory. You're then going to apply some configuration management database which is going to tell you this is how you're going to keep the health and maintain its lifecycle in terms of making sure that whatever it needs is being provided. So if it's a version control, if it's coming from the outside because it's vendor supported, no problem. You just need to make sure that it's being tracked. And the last part to it is you're going to make sure that you understand after doing, say like a network mapping diagram, where in fact, are you going to apply those security controls, are you going to be able to apply some type of internal firewall? Are you going to be able to go ahead and put in some type of sniffers or detectors or whatever it might be, you're going to have to really kind of buckle down and understand exactly what to do. Because here's the thing, manufacturing is very sensitive and it's very, very linear and it's very built on the fact that it's there to do a specific type of job. Information from it doesn't necessarily flow back and forth. And so what I mean by that is that you don't necessarily always get the health and the status or the productivity of that respective device. You have to take all that into account to make sure that not only are you allowing it to do what it's supposed to do, but you're then adhering to applying security controls and processes so that it's running safely and that it cannot be attacked. I think those are some of the immediate things that anybody who's thinking about getting into the sniper program with an OT should really start to acknowledge and to identify and that you work on.
[00:25:02] Speaker B: So in terms of like some of these controls, what I've heard from people like yourself, that they're really old, like you mentioned, but they're like 30, $40 million super expensive and they're so manual. Obviously they're not connected to the Internet because that's a massive risk, as you mentioned. But it's so manual that it's like you have to get a guy out there, he's got to do all this thing. The only way to potentially intercept it is from like a social engineering point of view. But then it has other challenges around, you know, efficiency and other issues around, well, this thing is so old, if something were to happen, we don't know how to fix it necessarily. Does that concern you a little bit?
[00:25:37] Speaker A: Absolutely. And I think that's where the sensitivity falls in place because as said, we classify those as legacy systems. Legacy defined as basically a system that really can't be updated or supported by its original proprietary service. Right. So there are old Windows Sevens or Windows Eights that are running within manufacturing plants and you're not going to mess around with that because you're not being supported. You can't apply, you know, 2025 Azure or Defender on those respective type of systems. You simply can't. You can't run it for scanning and monitoring. So then you start to look at the other possibilities and you have to be creative, which I think is kind of the alluring part to all this innovation that you have to think about is how do you secure these types of devices without actually touching them. And I think that's really where things get to be a little bit more complex. Right. Especially for those Internet facing applications or those Internet facing systems. You're going to have to look at what exactly is out there, whether those are ports, whether those are other controls within an application that could actually be modified or could be hard coded for some other type of control. All of those things are kind of in play when you think about that. Because to your point, you're not going to mess around with a system that's 40 years old. There's no point on it. I think the manufacturing is a lot harder and much more complicated than it, because we see that also within it we know the fact that there are systems that are decades old, those old J.D. edwards or those old Oracle or Cobol, you know, some of these ones that I wasn't around when these things were around, but it's, it's, it's there and they're doing their job and you don't want to go ahead and mess around with It. So it's the same within manufacturing that you have to take it one step further because of the fact that those domains and the environment that it resides in are also sensitive as well.
[00:27:31] Speaker B: Gosh, J.D. edwards. I've definitely used that probably about 15 years ago, one of the things would be, okay, this is really interesting because you said before about being creative, which I want to get into.
[00:27:42] Speaker A: Yeah.
[00:27:42] Speaker B: But do you think with what you're saying, it's kind of like you're jumping into an old car that's super old and you're just hoping it just doesn't break down at this point, you're literally crossing your fingers. Do you think there's a bit of that going on here?
[00:27:54] Speaker A: Yeah, I think so. It's almost trying to say, to take your analogy, jumping in an old car, making sure that it's running and you can use it, but then you're also trying to figure out exactly how to go ahead and prevent it or how to save the use of that vehicle if it ever got into an accident. Right. Because it doesn't have the technology, it doesn't have the airbags or the collision systems or anything that can really prevent a car these days from being completely totaled. Right. With an older vehicle, obviously, you have to think about that in terms of what would be if it were impacted. And that's the same thing. That analogy corresponds very well within manufacturing. If it was to be impacted, what's going to happen? And I think that's the biggest thing. You just don't know. You don't know what can happen. And that's where the apprehension lies because of the fact that you have to be very careful in terms of how you approach it. So I would look at it from the perspective of saying, here's what we have in terms of, again, looking at your asset, inflammatory understanding, your collection of legacy systems, and try to build something out on the outside rather than in. And that basically means network segmentation, which is something very big. And I know a lot of manufacturing companies and some of my manufacturing CISO peers tend to look at, which is to completely isolate those systems off the network, put them in a very secluded area with very limited access. That's probably a good way to do it, but it's also very costly. Right. You can look at it from the perspective of just locking down ports, probably easier, but, you know, still a rather wide gap in terms of being compromised. There's plenty of things that. That are out there that you're looking at, but at the end of the day, you have to Just respect those systems for what they are and that they cannot be manipulated or modified to bring it up to speed in today's game.
[00:29:44] Speaker B: So you mentioned before about being creative. So what you just listed, would you say that's ways that companies can work around the issue without interfering with it? With still like, you know, we can't have this car sort of breaking down. We needed to keep operating. Do you think that's what you mean by being creative?
[00:30:03] Speaker A: Yeah, I do. I say that because I'm using certain terms like network segmentation. You use network segmentation because of that practice of what it can do for your respective computer network, which is to make it smaller. And it may not be as elevated from a perspective of saying this is a lot different, this is much more innovative, but the fact of the matter is that it's still an option to go ahead and use.
It doesn't have to be the only option, but it certainly gives you that opportunity from limiting the exposure to malware or ransomware, which is a big deal. And it's also not as easy to get done.
So we kind of look at things from a holistic perspective to say to ourselves, what are we going to be able to do out there, which first of all can do, be done manually, but then realizing the fact that the manual brevity to all of it has certain limitations, but then moving it over into an automated state where now you have tools and systems monitoring your respective area and what you can do with that. So I think there's a variety of ways to do that. And also within network segmentation, there's a variety of different things you can do as well. You can do logical segmentation or micro segmentation physical. There's plenty of options to choose from. And not everybody's plants are the same. The irony of everything is if you look at plants throughout the world in companies that, that have more than three or four manufacturing plants, the odds that those are going to be apples to apples in terms of the same network, the same homogeneous type of tools, the same layering from a topology diagram, they'll never be the same. So even within your own company, plants are different and you have to treat each of those respective plants differently. So that in itself is making you having to figure out exactly how to treat each of your respective plans with the right approach to take.
[00:31:54] Speaker B: So what I'm curious to know is these systems, they're probably not going to keep running for another 40 years, right? So are people thinking about, well, we have to start to, I don't know, I mean I'm just hypothesizing you'd know more than me, like create some sort of not digital twin, but something where we're building out what we're currently doing elsewhere so it doesn't interfere with the day to day. And then we start to replace some of these old school, legacy, end of life sort of systems and stuff like that. What does that then look like for you?
[00:32:23] Speaker A: Yeah, I mean that those are, those are certainly type of questions that we have to mull about, you know, for the next decade or two in terms of what needs to be done. Because yes, you're absolutely right, these systems are not going to be running forever. So the question then becomes what are the options? Right. You can certainly look at doing some type of replacement, which is probably the easiest way to do it. But the problem with that is that they're often very expensive. They're also risky because you just don't know simply if those systems are going to run the same way. If you replace it with a new one. There's other opportunities, such as migration. Right. You kind of phase out and run this type of, this, this phase in terms of understanding exactly what the certain functions of these systems do and then replacing it with other modules or microservices that can do the same thing and that hopefully can help minimize the type of fault errors that may happen, the disruptions. And you can still allow for some type of testing to make sure they're working again only for those major functional pieces. And then you also have other things such as you may not even use those systems anymore, but you can use APIs against newer systems. And what I mean by that is you're basically giving those legacy systems an API and you can use that now. So it's communicating and correlating and maybe even handing over data to these newer systems. I think AI is going to have a huge impact in the manufacturing world and we're probably not talking about that enough where allowing for that integration, allowing for a swap out in terms of what AI would calculate and build out. To say this is what you need in order to replicate what this older system is doing is certainly there. And I think it's being investigated. I certainly know that. I'm looking into it. I know others within our CISO community are looking at it as well to see what we can do with AI as well as machine learning to again swap out those legacy systems whenever that may happen.
[00:34:25] Speaker B: So do you foresee there's going to be a new era or era, as you guys say over there with manufacturing so for example, as I mentioned before, I'm ex banking and finance. I worked on the tail end of core banking modernization. Traditional a seven year program, more than a billion Aussie dollars or something. One and a half billion dollars, something apparently it cost to do the migration.
Do you see this becoming a thing in your space that we're going to have this new era of manufacturing, we're going to do this migration and this is how a lot of these legacy, legacy systems are going to go and this is how we're going to start running these businesses?
[00:34:59] Speaker A: Oh yeah, absolutely. I mean that I think is already starting to take shape and I mentioned a few things with AI and machine learning in terms of how it's trying to analyze this type of production data and how to optimize these types of systems and make sure that it can detect, you know, the health of these types of equipments and make sure that they're running at full optimization. But then we're talking about other areas such as robotics, right. And the automation and how these different types of tools and the use of in essence integrate much more quickly and efficient to provide that type of precise knowledge to create that type of product. I think that's going to be very, very cool and very useful at some later point in terms of how the manufacturing world, like I said, is already changing. And I think when you start to look at these types of prototypes which are being built, the different types of solutions, even the ones which are replicating, because now you can go ahead and create virtual, right? The virtual replicas of these systems, even legacy systems. I think that is really the wave of the future for manufacturing to kind of shed the old way, the old culture sort of speak and move in with the new. And I think it's going to take some time because like I said, manufacturing has always been a little bit resistant. I think that and healthcare, Healthcare for some odd reason seems to resist new technology. Manufacturing is very much the same way.
It's going to take the appetite, I hate to say it, the risk appetite from your manufacturing partners, those who work within the plant, to embrace that culture because it's not easy. And I don't want to categorize and personalize them as being stubborn and old, but it's just one of those older different types of industries that's just going to take time for it to adopt to the new technology.
[00:36:48] Speaker B: Well, as I said before, you know, it's not like it's a 9 to 5 sort of business, right. A lot of some of these things can run 24 by 7. So the risk is definitely substantially higher. And if one thing stops, then you know, there's a flow on effect from a conveyor, proverbial conveyor belt point of view.
So what do you think sort of moving forward? I know you sort of mentioned, you know, these prototypes we're getting into, how we can do these virtual replicas. Anything else you can sort of share today?
[00:37:13] Speaker A: I think really when, when you're, when we talk about manufacturing and when we talk about the importance to how we are transitioning into it, there's a key term over here that some of us use which is IT OT convergence. And what that basically means is that you're trying to use IT controls and apply them within that OT space. And I think that's very important to recognize. Now what you're seeing is that you can do a lot more controlling so your admins and your IT folks can actually dip their way into operational technology, into those respective critical tools and apply certain types of measures that you haven't seen before. And that's the convergence. It's a two way street where your OT can send back data, can send back analytics, or IT has the tools to crunch those datas, crunch those metrics and recognize how in fact could you be more productive? How can you be cost effective, how can you be optimal in terms of what you want to gain as a manufacturing whole, in terms of what your product is? So I think that is certainly something that is being very, very useful.
The negative to that is that it's not necessarily as easy as some may think. Also the other part to it is that the IT and OT convergence has also created a new attack surface where hackers are starting to look into that as being a possible area to go ahead and compromise. Because that bridge convergence, so to speak, seems to be a little bit exposed in terms of what controls are there just to go ahead and connect that tunnel between IT and ot. So I think there's some interesting things going on, some interesting discussions in terms of how that IT OT convergence can have a play in the future. And it's certainly an important one, but it has to be probed and inspected and assessed a little bit more before they feel as comfortable as they want to be to make that happen.
[00:39:09] Speaker B: So Imran, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:39:14] Speaker A: You know, I think when people are looking at cybersecurity and when they're looking at manufacturing, understand a couple of things, especially if you're in that field, please be patient because it's going to take time. Understand your topology in your mapping within your operational technology, which also includes supply chain I should say as well as possible. Before laying out any type of controls, remember understanding the analysis to IT in terms of the infrastructure. What you're using it for is much more important than assuming security controls and laying them out wherever needed is going to be the key factor to it. I think you have to always assess the risk, make the best decisions and then move forward. But do that in steps which are digestible and easy to approach rather than trying to go ahead and hit the home run or I don't know what you guys say out there for the cricket, right? But whatever you guys do for your lowest points in cricket to get the most out of it.
[00:40:19] Speaker B: This is KBCast, the voice of Cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
This episode is brought to you by mercset. Your Smarter Route to Security Talent Mercset's Executive search has helped enterprise organizations find the right people from around the world since 2012.
[00:40:45] Speaker A: Their on demand talent acquisition team helps.
[00:40:47] Speaker B: Startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
