AWS for Industries
Cybersecurity Awareness Month: Ep. 3: Building a Base Architecture for Your Future Security Needs (featuring Cisco)
It’s no question that your security needs in the future are likely to change from what they are today. In this episode, we explore how you can stay ahead of your security needs by creating a security strategy that evolves with your business.
Join us as we continue our cybersecurity awareness conversation with Robert from Cisco Systems, a leader in product management for secure firewall / industrial security, and discuss the significance of implementing a security architecture that meets your needs today and in the future.
Robert shares insight from his experience working with the non-profit International Electronics Manufacturing Initiative (INEMI) to develop a security roadmap. This architecture details guidance and best practices for the security of data and products across all touchpoints of the[manufacturing] industry’s supply chain. He also shares with us a great nugget of wisdom regarding security that is: “If you stick to basics, chances are you’re not going to go wrong.”
Listen now to Part 3: Building a Base Architecture for Your Future Security Needs (featuring Cisco) on Apple Podcasts, Spotify, Stitcher, TuneIn
On applying security approaches to different applications
“Most of the best practices are universal as long as you stick to basics – this is really one of the things that I want to emphasize in this whole series I think, regarding industrial security, is there’s absolutely a lot of unique things. There’s a lot of sort of sexy components to it. But honestly, if you stick to basics, chances are you’re not going to go wrong.” – Robert
“They’re not driving formal standards per se. It’s much more about guidance on giving some sorts of best practices. […] They actively bring in experts from all over to say, “Hey, what’s your experience? How could you help contribute to producing guidelines that our membership can make use of?’” – Robert
On drivers impacting the security roadmap
“This question of data flow, the contents, protecting it, and ensuring that perhaps someone doesn’t step on my own work and potentially invalidate some protections I’ve built into my componentry. This was a significant concern for a lot of people.” – Robert
“Just think of all the different organizations, companies, individuals, consultants and so forth who are going to have touchpoints in the space. And it’s really surprising that more things aren’t lost in the process.” – Robert
On learnings throughout the process
“You can never learn enough to be honest because anyone who wants to cause abuse doesn’t feel compelled to necessarily know the whole big picture. They just need to know enough to get into a particular place and cause whatever abuse that they’re targeting.” – Robert
The Industrial Executive’s Guide to Cloud Security
AWS Security Hub
Learn how Siemens strengthens security and enhances productivity using AWS
Learn how Volkswagen Group centrally manages security threats on AWS
Ask A Question
Send us your questions at firstname.lastname@example.org. You can also post your question below in the comment section. We will reply to all questions within 1 business day.
What is AWS Industrial Insights?
Welcome to AWS Industrial Insights. In every episode, we interview visionary leaders from industrial companies to share their insights on technology, innovation, and leadership. This podcast is for industrial business leaders who are looking to make data-driven decisions and learn from those who’ve experienced similar challenges. By interviewing leading executives, we’ll uncover their insights and learn exactly how their organization found a solution. You can find all episodes of AWS Industrial Insights on your favorite streaming platform or listen below.
Growing skills gap, increasing cyber threats, supply chain disruption. Do these sound familiar?
It’s a tough industry to be in and we’re here to help.
I’m your host, Caroline.
And I’m your host, Doug.
And you’re listening to AWS Industrial Insights, the podcast for manufacturing and industrial business leaders who aren’t afraid to think big.
We interview executives from well-known companies to share the disruptive ideas and topics like leadership, technology, and innovation.
So let’s get started. Well, welcome back to episode number three of October Cybersecurity Awareness Month. In our first episode, we learned about the differences between IT and OT security. In our second episode, we talked about how to manage so many vendors who are doing their own niche thing and making sure that you’re still maintaining control and managing that control.
In episode number three, today, we’re really going to focus on, you know, what does this really look like if you put this into place, your security needs in the future are likely to change from what you need today. So Roberthas a great example, specifically focused on INEMI, talking about how, you know, they were able to build a base architecture, you know, that serves these needs in the future.
Robert, can you just give us, first of all, a quick introduction on what is INEMI and why is this so significant?
Sure. So thanks for the opportunity, because this is a fun exercise. The International Electronics Manufacturing Initiative, it’s a nonprofit. It’s a whole set of manufacturers for electronics and their suppliers, who came together to advocate and to work together honestly on challenges that their industry faced.
It’s the electronics industry, which means things move pretty quickly. There’s a lot of change from an original provider all the way up to intermediaries, up to final builders. Lots of different questions on supply chain. And I think many of us recognize that during the pandemic, supply chain issues were a bit of a big deal. I would say we were very fortunate that the road map we worked on was in 2019, immediately before the pandemic.
So it was a very timely activity and I’m very happy that I had the opportunity to participate in this 2019 road map.
Yeah. So can you talk a little bit too about, you know, when you’re building something from the ground up like this, like what kind of questions were you asking yourself? Like, how did you make sure that you were challenging yourself to think broadly for the future so that you wouldn’t kind of like isolate this plan into limiting what’s possible?
While really broadening the plan and limiting what’s possible from a security perspective – That’s probably one of the greatest concerns I always have regarding my own thinking is, am I limiting myself? Am I somehow not thinking broadly enough yet simultaneously within the context of either myself or Cisco, whom we work for, or the customers whom we’re serving and trying to secure what’s actually within their scope of what they could influence.
But like INEMI’s case, they had nicely broken out certain sort of sub-verticals, if you will. They had semiconductor manufacturers and of course their sets of suppliers. They had the OSAT group, the outsourced semiconductor assembly and test entities, and then you’ve got the PCBA Builders Circuit Board, and then you can go forward to the contract manufacturers who are taking steps and subsets of these pieces and assembling a finished product.
But the point is, you’ve got a lot of different people participating here. You’ve got FABs that are building semiconductors for multiple companies simultaneously. You’ve got entities that are doing these tests and assemblies, again for multiple companies behalf, and PCBAs are taking chips from multiple vendors and putting these things together. And then that PCBA in turn goes to the contract manufacturer who puts the whole thing on, and then we apply some firmware on it. Please, let’s hope that it works.
Just think of all the different organizations, companies, individuals, consultants and so forth who are going to have touchpoints in the space. And it’s really surprising that more things aren’t lost in the process.
Mm. And did you run into any challenges as you’re working on this that you kind of learn from and you’re like, okay, I wish I would have known this beforehand?
You know, I would probably say there was my personal involvement. I’d had some involvement with semiconductor manufacturers. I’d had some personal involvement with manufacturers of the equipment that semiconductor manufacturers were involved with, some of whom actually embed some of our products within their very expensive semiconductor equipment. But I had no previous involvement with the OSATs and a limited bit of involvement with the PCBA.
So honestly, I felt uncomfortable with my lack of knowledge and understanding how things got handed off with regards to data flow, materials flow, responsibility, across all those hand-offs for those two stages.
So you can never learn enough to be honest because anyone who wants to cause abuse doesn’t feel compelled to necessarily know the whole big picture.They just need to know enough to get into a particular place and cause whatever abuse that they’re targeting.
So Robert is INEMI more of a standards board or are you building architectural guidance? What is it that you’re coming out with to help everybody as a member of this?
Yeah, so it’s a private organization. They’re not driving formal standards per se. It’s much more about guidance on giving some sorts of best practices and also bringing people together to say, wow, we really didn’t think about this particular issue because I’m in my own portion of this process. So, not a standards organization.
They actively bring in experts from all over to say, “Hey, what’s your experience? How could you help contribute to producing guidelines that our membership can make use of?” And that’s again, the exercise that we did in 2019. And we’re now starting to repeat that now with a target for next roadmap coming in 2023.
What are one of those guidelines or guidances? Just so people kind of know what you guys have been thinking about?
Sure. I mean, so some of it had to do with actually physical handoff, you know, something moving from one stage to another to make sure that’s potentially not tampered with. How do we ensure that you can have some kind of attestation of the authenticity? And if you would, you know, the security state of this asset that I’ve now taken on, that I’m now going to add some value to, and more or less, kind of put my name on it right?
I mean, we’re building upon content upon content and component upon component, but inevitably it’s my name on it which leaves our factory and I’m held responsible for it. So that was a lot of the discussion.
But in my area, it was mostly around data flow. It was basically saying there’s a set of information that I have with regards to maybe the quality of the batch that we produced, and we push forward. If that gets into my competitors’ hands, they could use that against me. I may be having to forward intellectual property from some of my suppliers. It’s now in my care, hence I’m going to be held responsible for it. What are my obligations and what are the potential impacts if I lose control of that? Then plus my own value add. I’m taking all this and packaging it together and I’m moving it upstream to the next stage.
They’re going to do a similar process in their portion of that supply chain, add some value, make some changes, and then push that on. So this question of data flow, the contents, protecting it and ensuring that perhaps someone doesn’t step on my own work and potentially invalidate some protections I’ve built into my componentry. This was a significant concern for a lot of people.
And it’s pretty cool that you were able to start scaling this into other applications as well. Have you had to make a lot of customizations for that or are you able to use the majority of what you’ve already built?
Most of the best practices are universal as long as you stick to basics. And I don’t, this is really one of the things that I want to emphasize in this whole series I think, regarding industrial security, is there’s absolutely a lot of unique things. There’s a lot of sort of sexy components to it. But honestly, if you stick to basics, chances are you’re not going to go wrong.
You just have to understand how to nuance those basics when faced with, you know, particular verticals’ environments. So I would say always coming back to the basics, making sure that, you know, the order of emphasis is always we start with people, we then look at process and then we look at technology last of those concepts. If you look at this, no matter what the complexity is, I think it helps you to design a proper security program to address, what in this particular case that INEMI was dealing with, was a fairly complex supply chain.
Very interesting. And do you have any like resource links on this that we can share with the listeners in the episode blog?
Yes, certainly it’s inemi.org is the overarching org that did this work. Their 2019 roadmap is on their site. I believe it is paywalled, however. So of course, they need to make sure they recoup the expenses there. But there’s just a lot of good general information at the INEMI site. And again, the roadmap is that high-level document which says here’s the areas of emphasis.
Thank you for tuning in to AWS Industrial Insights. If you want to learn more about today’s episode, head over to the blog for a list of featured resources on this topic. You can also find today’s blog in the episode description and also on our website at aws.amazon.com/industrial/podcast.