Automating a more resilient supply chain

As technology evolves, manufactures can leverage new tools to reduce costs while improving accuracy, visibility and customer satisfaction. Emerging technologies such as Internet of Things (IoT) and artificial intelligence (AI) can increase efficiencies for manufactures. At the same time, this increase in technology may create openings for cyberattacks on the supply chain as well as critical infrastructure. 

Here, we talk with Scott Reynolds, the President-Elect at International Society of Automation. 

Security magazine: Tell us about your title and background.

I am a volunteer leader as the President-Elect/Secretary for the International Society of Automation for 2024. I’m also the senior security and engineering manager for Johns Manville, a Berkshire Hathaway company. Finally, I am chair of the Operational Technology Cybersecurity Summit in London, UK. I started my career as a control systems engineer, and slowly transitioned to incorporate cybersecurity as my main focus around the OT environment. My passion is helping build and grow the community around automation, and especially with cybersecurity of the Operational Technology (OT) space.

Security magazine: How can manufacturers leveraging automation technology strengthen the cybersecurity of their assets?

The question of leveraging automation to strengthen cybersecurity is interesting. I think the more automation there is, the more risk to cybersecurity there is, because you need to secure each piece of the automation process. This process requires an agreed upon language and consistency. The more consistent you are, the more successful you will be in understanding your risk posture in the OT space. The best standard to leverage to accomplish this is ISA/IEC 62443 series. It helps get everyone on the same page and provides a consistent process to develop a successful program.  If you are looking for automation to help with this, I would start with passive asset discovery tools. The first step to a successful security program is to understand your asset inventory. This action is required per the ISA/IEC 62443 series. Using automated tools to better understand your asset inventory is a great starting point to developing your security program for OT.

Security magazine: How can manufacturers use automation technology to mitigate cost differences across their supply chain/from onshore to offshore? 

The key with keeping supply chain costs down is getting the documentation and expectations correct up front. This means security needs to be considered before the RFP is sent out. If you have to rework or rebid a solution because you discover the supplier does things in a way that creates additional risk for your organization, the situation is going to slow down the process. One tool to help with this issue is ISASecure certification — the leading conformity assessment program for the ISA/IEC 62443 standards. If you are leveraging the standard, you can require the supplier is certified to ISA/IEC 62443 standards, and to the level of security you need for that system. It’s a great way to have third party assurance of the level of security provided by the vendor.

Security magazine: How does the increase of automation technology increase the risk of cyberattacks on critical infrastructure and the supply chain?

The more automation, the more opportunity to introduce risk. This approach means you need a robust program to help secure those systems.  A tool to do this in ISA/IEC 62443 is to leverage zones and conduits. This concept is really a zero-trust model between assets, which only allows what is needed between each zone or asset. It allows you to put different level of security controls on each zone without over costing the project by setting the strongest level of security controls across an entire system.