Issue link: https://iconnect007.uberflip.com/i/1463464
44 SMT007 MAGAZINE I APRIL 2022 Bonner: at is a common antipattern. Man- ufacturers allow the vendor to bring in their new connected system because it provides a new manufacturing capability, and they don't count the costs, if you will. ey don't look to see whether the vendor's required connections into that system themselves are secure, prop- erly segmented, or any other number of things. ey just let the vendor do what they want, and they give the vendor whatever they ask for. ere's oen little or no governance. In the end, you have vendors being given open inter- net access to a multimillion-dollar machine for ease of support, but it's also easily accessed. When we see manufacturing equipment pub- licly accessible from the internet with very few controls in place, it's terrifying. Johnson: Of course, that has the unintended consequence of exposing other computers on the manufacturing floor that may be out of date. It may be some legacy piece of equip- ment controlled by a computer that's still on XP because the operating soware isn't migratable to the next, more secure version of the operating system. Bonner: Absolutely. Unsupported platforms or operating systems are a huge area of concern. Any time we mix that volatile ingredient with internet access, we're asking for trouble. ere must be very clear strategies for handling sys- tems which can't be upgraded or secured in a normal way. We need a way to put that security in front of that device to protect it from the outside world or even your own network, or we need to have some way to put that piece of equipment in a box so that it doesn't pose a risk to others. Johnson: Digitization is step one clearly, but there's a step zero, isn't there? Get your net- work secure. ink through the data and the security before you start putting sensors and things in place. Bonner: ere are certainly benefits to planning for the introduction of new capabilities. When that step is taken, we find organizations much more prepared to speak with the new equip- ment vendor or to better implement or deploy a new capability in a very informed way, where it doesn't just sneak up on them and then sud- denly, they have new risks on their network. Some of the things we see organizations doing are creating brand new networks for their new connected equipment to live on and then slowly integrating that with other older net- works if those exist. It's like a clean slate envi- ronment for the connected equipment so that you can very clearly understand what the nor- mal behavior looks like for that equipment so that if something strange was to start happen- ing, you'd notice it because you know what right looks like in that environment. ere's also a big push toward Zero Trust. Johnson: Zero Trust? Bonner: Zero Trust security assumes that your entire network is not trustworthy to begin with. Zero Trust incorporates the idea of hav- ing this new equipment completely tunnel across the network through encrypted chan- nels to only the resources that need it, rather than swimming in an open sea. It's a much more controlled process. It's hard to do in old networks, but more achievable in a brand-new implementation of new technology. If you can choose to adopt a Zero Trust approach for just the new equipment, that's still better than doing nothing. ere are a lot of embedded systems and IoT equipment which, in our haste to create new capabilities, we didn't give full consider- ation for native security for these tools. Now we have connected systems that are on the net- work, but they don't have all the trappings of a normal computer. Oen, we need to add that capability. ere are systems that would allow you to put a "layer 7" firewall in front of the piece of equipment you've just brought onto the network. It allows you to treat everything