Stop Strategizing. Start Listening. The secret to happy employees and improved security. (Featuring Koch Industries)
Success for cybersecurity in the manufacturing space requires listening to your employees, from their local expertise to their concerns. To not overcomplicate the day-to-day of your operators, it is crucial to form a holistic security strategy that focuses on OT protection as much as it does on IT solutions. Without this conscious approach, security can often end up clunky and cause more hassle than help.
Join us as we talk with Gabe Green, Chief Information Security Officer for Koch Industries, about taking an informed approach to security in manufacturing. In this episode, Green shares with us insights from Koch’s journey to provide consistent IT and OT security across their very different environments, and how a bottoms-up approach creates space to leverage each employee’s comparative advantage.
Listen now: Stop strategizing. Start listening. The secret to happy employees and improved security. (Featuring Koch Industries) Apple Podcasts, Spotify, Stitcher, TuneIn
Describing the value of a bottoms-up approach
“When we’ve thought about cybersecurity, in these manufacturing, in these process control
environments, we really want to make sure that we’re not just rinse and repeating that same
approach, and we’re really starting with what’s important to those environments.” – Gabe Green
On the importance of “local expertise”
“Part of our focus has been as we deploy security into these manufacturing environments, where can we leverage some comparative advantages from the cybersecurity teams, the IT and OT teams within the operating companies, and supplement some of that with the local expertise of our operators in the plant environments. They’re going to have the best knowledge of what their day to day looks like.” – Gabe Green
On OT things a typical IT person may not think about:
“I think one of the things that we’re learning, is that the way that an attack might
happen in our OT manufacturing environments might look very different than what we’re used
to seeing in our IT environments. I think when we’re looking at these OT environments, one of the things we have to recognize is that this is really what’s most critical to the business.” – Gabe Green
How Dragos uses AWS to Empower Collective Defense for Industrial Control Systems and Operational Technology
The Industrial Executive’s Guide to Cloud Security
AWS Security Hub
Learn how Siemens strengthens security and enhances productivity using AWS
Learn how Volkswagen Group centrally manages security threats on AWS
Ask A Question
Send us your questions at email@example.com. You can also post your question below in the comment section. We will reply to all questions within 1 business day.
What is AWS Industrial Insights?
Welcome to AWS Industrial Insights. In every episode, we interview visionary leaders from industrial companies to share their insights on technology, innovation, and leadership. This podcast is for industrial business leaders who are looking to make data-driven decisions and learn from those who’ve experienced similar challenges. By interviewing leading executives, we’ll uncover their insights and learn exactly how their organization found a solution. You can find all episodes of AWS Industrial Insights on your favorite streaming platform or listen below.
Growing skills gap, increasing cyber threats, supply chain disruption. Do these sound familiar?
It’s a tough industry to be in, and we’re here to help.
I’m your host, Caroline.
And I’m your host, Doug.
And you’re listening to AWS Industrial Insights, the podcast for manufacturing and industrial business leaders who aren’t afraid to think big.
We interview executives from well-known companies to share their disruptive ideas and topics like leadership, technology and innovation.
So let’s get started.
Well, welcome, everyone, and thank you again for joining us today on AWS Industrial Insights. Before we get started, I just want to say a thank you, huge thank you, to our listeners for being a part of this show and giving us great feedback, and tuning in for every episode. We were recently announced on IIoT World’s Top 20 Manufacturing and IIoT podcasts of 2022, and that was just such an incredible honor to be included on that list.
So, huge thank you to our listeners. It’s all because of you that we’re able to do this.
So remember, Caroline, that means the bar is raised for next year. So next year we have to do it again or even higher. So, let’s keep going.
Absolutely. Maybe we’ll be in like the top five. They should whittle down the list.
All right. There’s a goal for the year.
There we go.
Yeah, we’re just really excited to be included on that list and it makes us really excited to continue producing more episodes just for you. So, with that, let’s jump right into this month’s episode. And today we have the pleasure of being joined by Gabe Green.
Gabe, can you give us a quick intro of what your role is in the company that you’re representing?
Sure. Thanks, Caroline. Gabe Green, I’m the Chief Information Security Officer for Koch Industries.
Awesome. Well, thank you so much for joining us. We’re super excited to have you on today’s episode. I think this is kind of a great transition. The last couple of episodes we were talking about security specifically. So it’s pretty interesting that you’re coming from a security-focused role…and how the applications of security for the user are incredibly important behind the strategy.
Can you talk to us a little bit about: what does a user-centric approach look like in the manufacturing environment? And why would your company want to take this type of approach specifically from a security standpoint?
Sure. I think one of the things we’ve been talking about a lot, as we’ve kind of started this journey of really trying to mature our security capabilities within our manufacturing environments, is being cognizant of the work that our operators already have and how they are likely already overtaxed with everything they have to do in their role – from making and creating products, shipping product, to being highly vigilant with safety, managing supply chain challenges, all those things.
And the last thing we want to do is deploy a bunch of security technology, a bunch of hardware and software, and give them yet another thing to keep track of and look at throughout their day. Part of our focus has been, you know, as we deploy security into these manufacturing environments, where can we leverage some comparative advantages from the cybersecurity teams, the IT and OT teams within the operating companies, and supplement some of that with the local expertise of our operators in the plant environments.
Awesome, and when you say local expertise, what do you mean by that?
Yes, I mean, the folks that are on the ground working every day in our manufacturing environments or in our process control environments. They’re going to have the best knowledge of what their day to day looks like. They’re going to have the best knowledge on what a bad day looks like and what we should be, planning for and building for around the cybersecurity capability, as opposed to just deploying technology and trying to look at every single alert that comes our way.
I think there’s quite a bit that we would look for in an IT environment, that would be bad or maybe raise some red flags, and some of those things might be perfectly normal inside of a manufacturing environment or a process engineering environment. So [we’re] just leveraging the local expertise to know where we should focus, where we should prioritize.
So, Gabe, if you think about security, you think about the day of the life for your user. How did you understand where security is going to add value for them?
Yeah, it’s a good, good question. I think one, we’re still on that journey. We’re still going through kind of each operating company at Koch and where we have critical infrastructure or manufacturing environments that we want to mature our security approach.
And one of the things we did is try to look through kind of a consistent lens of risk across all of our different manufacturing environments. We focused on safety first. Where do we have assets that we want to ensure that – if we don’t lose control of an asset and create a safety issue – where do we have assets that have a high impact to our PNL? If they go down, we can’t ship product.
And then where do we have assets or processes in our manufacturing or engineering environments where we really want to focus on protecting intellectual property? One of the ways we’ve tried to get an understanding of that is building really strong partnerships across our cybersecurity capability, into the local business IT and security capabilities, and then down into those OT or manufacturing practitioners.
Being able to build that trust across those different groups and have transparent conversation of what’s happening in those environments, and where we can best deploy cybersecurity capabilities.
How do you stay close to them? I mean, security’s not a one and done, so there’s the next generation issue, the next generation problem. How do you understand two things: one, how they’re using the products, and then two, how that’s affecting their roles? And I guess three, how are you keeping up to speed with that?
Yeah, those are all challenges. I think one thing we’ve tried to focus on is recognizing that there’s not likely a one size fits all approach to security across our disparate manufacturing environments.
You know, Koch Industries is made up of a number of different operating companies. When we talk about our process environments or manufacturing environments, those environments exist and operate across a number of different industry verticals. So, it’s really trying to take a risk-based approach based on that company’s profile, what’s important to them from a PNL perspective, what’s important to them from a manufacturing perspective, and make sure we’re differentiating the capabilities, so that they’re meaningful in those environments.
An example of that is we have a company that’s part of Koch Industries called Georgia-Pacific. They’re a manufacturing company. They make building products, consumer products, and paper products, things like that. We also have a company, Flint Hills Resources, that is in the energy sector and operates oil refineries and pipelines. Those are very different companies, very different business models.
And so, looking for where we can have consistency in some of the processes and tools that we deploy from a security perspective, but also recognizing that what’s important and how we operationalize those security technologies are going to look different depending on the environment.
Quick question on that. It sounds like, you know, what I’m hearing is that you put a lot of importance on the human side of this equation and how the applications are actually used. Is that coming from you specifically or do you kind of see that as a cultural mindset within your organization?
I think it’s definitely a cultural mindset within the organization. At Koch, we put a lot of emphasis on individuals’ comparative advantage. What are the things that they are most advantaged to do, the knowledge that they have? And that helps us really take a bottoms-up approach into how we’re thinking about cybersecurity in these environments.
It’s not just a top-down approach of “We’re going to do X the exact same way across all these environments,” but really leveraging the skills and knowledge of the people closest to those problems, to help us understand what’s actually meaningful and makes a difference from a cybersecurity perspective.
I have to say that is like so refreshing to hear. Especially when we talk to a lot of manufacturers and read a lot about what’s going on in the industry, and there’s so much focus on technology. It’s really refreshing to hear such a focus on people and creating an environment where people feel valued and taken care of.
I’m really excited to hear about that. And I also want to understand – for our listeners, when we were doing the pre-interview for this episode with Gabe, he was talking about this like extensive planning for different security scenarios. He gave so many examples that I thought you guys would find so interesting.
One of those being: Gabe, can you talk about how you understand what a bad day looks like for your operational environment? And maybe give us some examples of the kinds of tools that you use to help guide those scenarios?
Yeah. Sure. One of the things that we’ve spent a lot of time thinking about and talking about, as we are on this journey of security in these manufacturing environments, is really trying to make sure that we don’t just apply the same kind of IT security playbook that we’ve applied elsewhere in the organization.
If you think about the corporate organization, IT, all of your employees that are leveraging information systems, email, cloud compute resources, all those things, we have a model for how we thought about cybersecurity and it’s also a very user-centric model, right? Understanding our employees, understanding kind of the challenges that they have day to day, educating them and building awareness around cybersecurity threats, how they often are the target through phishing emails, you know, all of that stuff.
When we’ve thought about cybersecurity, in these manufacturing, in these process control environments, we really want to make sure that we’re not just rinse and repeating that same approach, and we’re really starting with what’s important to those environments.
An example of where we’re focused is really leveraging the methodical approach to planning that a lot of our safety teams and safety engineers in those environments have. They’re closest to those problems. They understand the processes, the equipment that they have in place, and they know what a bad day looks like.
So how do we kind of leverage that knowledge that already exists and plug cybersecurity planning into that, so that it’s not just a totally net new crisis management scenario, but it really works into what the plants and what the operators have already considered and already planned for when it comes to thinking about a bad day in those environments.
Can you talk a little bit too about like, what are the logistics of that? Do you set up, like interviews with them or how do you collect that information?
Yeah, I think we’re early phase in that. What were focused on right now is some technology deployments just to gain visibility into those environments, to understand what’s happening, what are the communications between different systems, and establish a baseline.
There’s probably some low hanging fruit that we can tackle from a security hygiene perspective, and provide some visibility to the operators of where they need to make improvements. Then from there, it’s really circling back and then doing that scenario planning and really understanding what needs to be differentiated on a per-site or a per plant basis in that scenario planning.
Technology is a big play, but it’s not the only play, as we know. There’s multiple different technology stacks that have to fit into here. You know, if you kind of think about the expertise that you need to lean in on, who are the products and services that you really need to do to get that holistic security strategy? What are you guys, who are you working with?
Yeah, absolutely. One of the things that we felt was very important to us, as we looked at security and these manufacturing process environments, was understanding and having the humility that our IT teams, or cybersecurity teams, don’t have all the best knowledge of how these environments function, right, and what’s important.
So we look for, you know, partners that we could work with to bridge that gap, that could understand the cybersecurity challenges and what that looks like, but also understand a day in the life; they understand the process engineering side, they understand the equipment. One of the companies we’ve been working with, and have a really strong partnership with is a company called Dragos.*
And Dragos has a hardware technology and services solution that we’re working to deploy in these environments, that provides that visibility that I talked about, right? It provides visibility into all the network communication that’s happening across that environment. What’s been really helpful with Dragos is not just the technology, but the expertise that they bring to the table.
And their DNA is really in that critical infrastructure operations. They’ve helped us think about cybersecurity through that lens and hopefully avoid what I talked about, which is just deploying a typical standard IT security playbook into these critical environments.
But if you think about the differences with the nuances between IT and OT, what are three of the top things that you want to really be aware about – and to help our listeners say, “oh, we didn’t think about that – What are some things that you’ve had from lessons learned?
What I mean by that, Gabe, is: The difference between IT and OT, and what would be an OT thing that a typical IT person wouldn’t think about?
Gotcha. Yeah, I think one of the things that we’re learning, is that the way that an attack might happen in our OT manufacturing environments might look very different than what we’re used to seeing in our IT environments. In IT environments, you have kind of these large, more homogeneous environments.
We’ve got technology and sensors deployed everywhere. We’re looking at emails coming into our end users, what could be potentially a phishing email if something gets through, how do we detect it? How do we shut it down quickly? And I think when we’re looking at these OT environments, one of the things we have to recognize is that this is really what’s most critical to the business, right?
In a lot of ways, this is why the business exists – is to run these OT environments and create product. With that comes a sensitivity to operations and production. We probably don’t have as much leeway as we might have in an IT environment to mess something up, to shut something down, or to contain what we think might be a cybersecurity attack but really is just normal business operations.
It goes back to really leveraging the local expertise of the operators and the engineers that understand those environments and make sure that the playbooks we’re creating to respond to potential cybersecurity attacks match what actually is reality in those environments, and we’re not making a problem worse.
Yeah, that’s really interesting. And just out of curiosity – are those IT playbooks, are those like digital playbooks or are they on paper? I’m always curious. It seems like a lot of stuff is on paper these days.
Yeah, I’d say it’s a little of both. One of the things we’ve done across our cybersecurity capability over the last several years is try to automate and orchestrate a lot of those playbooks, so those playbooks are really built into our response processes that our analysts look at.
So when they respond to an alert, that playbook is built into the systems they’re using to respond to that. But then we also have things on paper when we’re talking about more high-level playbooks, right? Like how would a site respond to ransomware?
Who are the people that need to be involved or the capabilities we need to pull in or the questions we need to be asking? So, it’s a little of both.
Good, Good. Yeah. It sounds like you have a good backup plan, too. Well, this is really interesting information. I think one thing that really stands out to me from this conversation, Gabe, is your approach, your bottoms up approach, and really how you use humility to kind of guide your security approach, leaning into other people’s strengths.
What was that term that you used in the beginning? You said like individual advantage or what was that?
Yeah, comparative advantage. And that’s something we talk about at Koch. It’s definitely part of our culture, which is leveraging what people are best at and where that comparative advantage lies across the organization, which doesn’t always mean it’s by role or title, but really leveraging the best skills and knowledge with the people that are closest to the problems.
Yeah. So that being said, then, you know, before we close out this episode, can you share with us – what would you say you wish that you could tell yourself five or maybe even ten years ago? What do you wish that you knew about your approach now? What have you learned that would have been most important to think about?
I think, if anything, one of the things that personally I have learned is that looking back, I wish we would have started earlier in some of the relationship-building across those operators and engineering environments. One of the things we found, as we’ve pursued this and started to meet people in those environments and talk about some of these deployments we’re doing with Dragos, is there’s a lack of awareness in some of these environments that the cybersecurity capability for Koch Industries even exists and what that team does on a day-to-day basis.
There’s been a lot of groundwork we’ve had to do just to educate them on the team, who the people are, what the team does, how we think we might be able to help in these critical environments. And so if anything, I’d say that’s something I wish we would have done sooner and done more of in the past.
Thank you for tuning in to AWS Industrial Insights. If you want to learn more about today’s episode, head over to the blog for a list of featured resources on this topic. You can also find today’s blog in the episode description and also on our website at aws.amazon.com/industrial/podcast.
*Disclaimer: Dragos is a recipient of investment from Koch Disruptive Technologies (KDT), the venture and growth arm of Koch Industries. Additionally, KDT President and COO, Byron Knight, sits on the Dragos board of directors.