How can manufacturers protect themselves against security risks so they can take advantage of digital’s promise to lower their costs and boost their innovation? My guest today is an expert in cybersecurity. Mike Crones spent over a decade at MIT Lincoln Labs, a defense contractor, where he was Deputy Chief Information Officer. He was the Chief Information Officer at Draper, which designs software for autonomous systems dealing with highly sensitive data. And now he’s CIO at aPriori, where he protects manufacturers’ data as it moves in and out of the cloud and into the hands of authorized decision-makers. He’s going to talk to us today about the security threats facing manufacturers and what to do about them. Mike Crones, welcome to the podcast.
Mike Crones: Thanks, Leah. I really appreciate the time today. Thank you.
Who Are Security Threats?
Leah Archibald: When I imagine security hackers, I have in my mind this vision of a nefarious ne’er-do-well, in a black hoodie, in the shadows. But who is it really? Who are our enemies who are targeting the manufacturing enterprise and what are they looking for?
Mike Crones: That’s a great question. Our adversaries in this space are many. It could be from a standpoint of competitive advantage – looking at other peer organizations who have similar product sets – market leaders who want to stay there. But it also could be nation-states. A lot of the manufacturing and technology that goes on across the board, while it may be unclassified in nature, is beneficial to foreign nationals and adversaries around the world. Being able to slip into that supply chain and either steal that data or alter that data so it impacts manufacturability is a huge risk.
Leah Archibald: Okay, so we’re looking at threats within our borders, perhaps from competitors, and we’re looking at threats outside our borders, perhaps for reasons of national defense. And what type of holes in security are these people trying to exploit?
Mike Crones: The holes that are typically the ones that are most exploited really come back to some of the basics. People, I hate to say it, are the weakest link.
Leah Archibald: Uh-oh. I was hoping you’re going to be like, “Here’s a patch. I’m going to upload it to your system and you’re done.” But no, you’re telling me I’ve got to do something.
Mike Crones: I think at the end of the day, the technical aspects of this are actually the easy ones. It’s really the behavior and the diligence of individuals within companies that help out tremendously or hurt it tremendously. If you think about phishing attacks, getting an email that’s spoofed and clicking on a link that then compromises your internal system and allows an adversary to get in or put malware on your system, that’s really all related. When adversaries play on you personally to respond to something and get you to take an action, they actually get in behind that curtain.
Cyber Attacks Manufacturers Should Watch For
Leah Archibald: So phishing is one of the top threats to cybersecurity. What else are you looking for?
Mike Crones: Well, phishing leads to things like account compromise and getting specific types of information. But on the heels of that is ransomware, where folks are getting in, compromising accounts, and then encrypting data. Think about having this happen to system upon system upon system within an enterprise. That’s when it really becomes real. If you step back and think about ransomware today, the average cost to remediate ransomware attacks is between three and five million dollars. It’s pretty cheap. To remediate a breach of some type of data loss is probably in the 9 to 10 million dollar range. You also have to be wondering if you do have a ransomware attack and you pay a ransom and you get your data back, what has the adversary done to the data? And by the way, are they still in your environment? Ready to just do that again two weeks from now?
Leah Archibald: Now these are threats that face every enterprise, whether or not they’re in manufacturing. Every company that has data is worried about the threats of phishing, and is worried about ransomware. But for manufacturers, there’s this added layer of worry when they’re creating a digital twin, when they have a digital production environment, and when they’re putting sensitive trade secrets into the cloud. How do they protect that data? Is that an additional level of security?
Mike Crones: I think compliance frameworks are great, but they are just the beginning. They do not make sure that you’re safe; they make sure you’re compliant. And so, you need to put additive pieces in place to really get in the way of the bad actors and the threats that are out there today. I, quite honestly, look at compliance as the baseline and the foundation. Those are table stakes. Now I really need to put a secret sauce on top of that – a next layer of security. How do I differentiate my security stack and my posture up and above those compliance requirements to make it tougher for any adversary to look at? I think number one, there’s got to be a culture and an education around security. I always say that security is a team sport. We all carry the burden of security.
Leah Archibald: We’re all running defense – not just one guy.
Mike Crones: It’s everybody. We have these company cultures today: Where does work end and personal start? Or personal start and work end? Making sure that even your own personal security hygiene is up to snuff. Because that’s an interesting way for it to also bleed into a corporation.
Leah Archibald: This is really interesting because one of the biggest innovations of this period of digital transformation is the increased access that workers have to sensitive data. When data can be in the cloud, when it can be shared between manufacturers and suppliers, that leads to a lot of innovation. But there’s a similar bleed for individuals in office time and home time and personal time on their office computers, and office time on their personal computers. So both the benefits and the challenges of this new environment bleed into security risk.
Mike Crones: Absolutely. And that’s why it has to come back down to that team sport. So education and culture are two of the most important things to sustain a good program and drive that awareness. You need to have the basics. Even if you’re a small 20-person company outsourcing some of your IT support help, make sure that they’re doing the basics around security best practices. Scanning, patching, those are the basics that everybody should be doing.
How To Keep Digital Threads Secure
Leah Archibald: I imagine that you’re talking to many manufacturers who are just starting to get on board with digital transformation. They’re starting to think about putting their infrastructure in the cloud and they’re understandably nervous about doing so. How do you set their minds at ease that their data is going to be safe and they’re going to be able to take advantage of digital transformation without putting the whole basket of eggs at risk?
Mike Crones: It’s really important for me to be transparent with our customers, and make sure that I’m helping to educate them about potential risks, but also letting them know the best practices and the approach that we are taking as a team at aPriori to bolster that and continually make that better. Security is never done. It is an always-evolving art form. So for us, we try to make sure that our foundations are there, our table stakes are done. After that, it becomes: What are we doing that makes us a little bit different? What are the differentiators around securing data, around securing our applications and our infrastructure that make us that much better? Our foundation is based on NIST guidelines: National Institute of Standards and Technology. We make sure that we’re looking at compliance outlines like SOC2, like ISO 27001, like CMMC to help us build a roadmap and a platform that can satisfy customers today, but also make sure that we’re building agility to take those into the future as well.
Leah Archibald: And it’s a moving target. Although, I imagine that once a company gets on board with digital transformation and has a lot more of their processes in the cloud, there might be increased agility to deal with security risks in a way that’s perhaps not there when the only location of data is on-premise.
Mike Crones: It’s really interesting. The cloud does actually help to facilitate some of that automation. So from a cybersecurity and compliance perspective, there are really great firms out there to help you with getting to the baselines, whether you’re a small company or a large company. There are many great, great resources in the industry to help you do that.
Leah Archibald: And I imagine once you put in the work to get to a framework that gives you not only compliance but security then that becomes scalable.
Mike Crones: It becomes modular. If you don’t have a framework, you’re playing whack-a-mole all the time. With a framework, you have modularity so that you can continue to mature.
Leah Archibald: I see that security and profitability in the future will go hand in hand, in the same way that examining cost on an ongoing basis goes hand in hand with profitability.
Mike Crones: These are the table stakes today. It’s no longer an optional thing or something that’s somebody else’s problem.
Leah Archibald: Mike Crones, thank you so much for joining us today and shedding a little more light on the security threats facing manufacturers and what we can do about them.
Mike Crones: Leah, thank you very much. This was awesome and I really appreciated the time today. Thanks.