top of page

Episode #

13

Protecting Your Manufacturing OT Environments from Cyber Threat with Carrier's Brian Kime



Show Notes

In this week's episode of the Future of Cyber Risk podcast, David speaks to Brian Kime, Associate Director of Threat Intelligence and Hunt Lead at Carrier, a global leader in intelligent climate and energy solutions. They discuss the biggest cyber risks to manufacturing companies and how to keep OT environments safe — and why the biggest threat to production is a ransomware attack that impacts the IT systems. They also discuss the need for implementing zero trust and segmenting identities, what key skills are needed to be successful in cyber risk management, security innovations in the military, and why the future of cyber risk management will see organizations prioritizing their own internal data.


Topics discussed:

  • The evolution of Brian's career as an "expert generalist," including work both on the enterprise defender side and the vendor side, doing research at Forrester, and coming back to the enterprise side at Carrier — as well as serving in the US Army Reserve.

  • What measures are most successful in protecting manufacturing OT systems against cyber threat, including the necessity of tabletop exercises, implementing zero trust, and the need for segmentation of identities.

  • Why ransomware is still the biggest threat to manufacturing, and how attackers can halt production and OT systems by ransoming IT systems.

  • The biggest threats to the global supply chain today, and how tensions in one part of the world — Ukraine and South Asia specifically — can disrupt supply chain timing and costs globally.

  • The military's approach to cyber risk management, the challenge of working with smaller tech companies as contractors, and why innovation today is soldier-centered.

  • What key skills are required for cyber risk management success, including the need for critical thinking around context and audience, and why writing skills are necessary for communicating business value and risk.

  • What cyber risk management will look like in five years, and why organizations will find it more effective to prioritize their own internal data over outside sources.

Quotes from Episode

#1.)

"We want to focus our zero trust strategy around protecting those industrial processes. So we want to segment our networks as much as possible so if we have an issue in IT it doesn't impact the issue in the OT side. If you have an issue in one factory, we don't really want that to impact all the other factories and shut down factories globally. And we've seen that in other ransomware incidents. ... So we want to build resilient OT architectures. And I think zero trust is really key to get there." (11:45)


#2.)

"These days, now, though, identity is becoming even more important. And so I would stress to manufacturers out there that you need to segregate or segment your identities. A factory worker should not be operating your manufacturing systems, your HMIs, and PLCs, and so forth there with the same credentials they would use to check their email and access the internet. So however you want to do that, segment admin accounts and factory accounts and maybe it's by business line. The more you can segment the identities, the less damage a threat could cause by stealing the credentials." (12:45)


#3.)

"As we do automate our building systems, our comfort systems, fire and safety systems, and so forth there, we have to consider zero trust there as well. You're kind of building IoT, you're building management systems — they should not be riding on the same network at the same VLAN or however you segment as corporate IT so we don't have scenarios where a contractor that is coming in and maintaining that HVAC system or that fire suppression system can, oops, easily just go into your data center or your factory floor or something like that." (14:29)


#4.)

"Knowing the audience, writing clearly and concisely, and of course, critical thinking, understanding your biases. My bias might be to multifactor authentication everything, but maybe MFA is not appropriate on that factory floor, for example. ... So controlling for our biases, controlling for logical fallacies when we write, when we present risks to audit committees, to business unit leaders, and so forth, hugely important. For the most part, we're going to leave out the technical stuff and just distill down that risk to what really matters." (38:21)


#5.)

"The top tier threat intel teams today are prioritizing their internal data. So they're seeing all these signals from all their security tools and they are able to identify their threat landscape instead of relying on an external vendor. ... My goal is to get my intelligence capability at Carrier up to that top tier level, so prioritizing our internal data, seeing the relevant signals that we already have, and filling in the gaps with some good high quality external data, but not relying on some of these vendors to tell me what my threat landscape is." (42:51)

bottom of page