Verve Purchase Gives Rockwell Leg Up on Asset IdentificationBuy of Industrial Cybersecurity Firm Verve Will Help Customers Spot, Remediate Risk
Rockwell Automation's buy of industrial cybersecurity vendor Verve will help businesses better handle one of the biggest challenges in all of critical infrastructure: asset identification.
Industrial organizations need to manage plants located all over the world, and some of them were built in the pre-digital transformation era while other facilities came into the fold through acquisition, said Mark Cristiano, commercial director, global cybersecurity services. He said risk scoring, asset identification and vulnerability identification are the key pieces for securing critical infrastructure (see: Rockwell Forges Gen AI Pact With Microsoft, Buys Cyber Firm).
"Verve does a really good job of asset identification and risk quantification, as well as making recommendations on remediation," Cristiano said Tuesday during a Rockwell Automation Fair press conference in Boston. "It lays out a road map - a plan for them to be able to quantify their risk and improve their risk conditions."
The Keys to Industrial Cybersecurity Success
Critical infrastructure organizations must prioritize network segmentation to obtain better control over how traffic flows across their infrastructure, Cristiano said. In the event of a cyberattack, he said, segmentation allows companies to shut off the affected parts of the network, isolate the unaffected portions of infrastructure and continue to keep as many production running as possible.
"On the OT side of the infrastructure, it's very noisy."
– Mark Cristiano, commercial director, Rockwell Automation
Another common countermeasure at industrial organizations is threat monitoring, which Cristiano said takes a snapshot of what good communication looks like in a particular client's environment and uses that to identify and alert clients to anomalies. From there, he said, Rockwell's managed services can help organizations figure out which alerts need to be prioritized.
"On the OT side of the infrastructure, it's very noisy. There's a lot of chatter going on," Cristiano said. "And there's a very specialized skill set that you need to bring into that environment."
Operating an industrial facility without an incident response retainer in place is like driving a car without insurance, according to Cristiano. In addition to offering incident response retainers, he said, Rockwell can also provide penetration testing on a periodic basis to figure out where the openings are as well as tabletop exercises that bring the entire organization together so everybody knows their role in a breach.
"It's a cross-functional exercise," Cristiano said. "It's really important we work with customers to try and simulate that attack so that everybody knows what happens."
How Risk Reduction and Modernization Relate
Rockwell has also devoted resources to auditing network inventory given the frequency at which assets change - making a snapshot-based approach essentially meaningless, Cristiano said. The starting point for most industrial organizations is a security assessment, which helps businesses both get their arms around cyber risk as well as communicate that risk to other stakeholders in the company, he said.
"What we've seen be successful is developing an action plan and funding to be able to go remediate this," Cristiano said.
He said he's all for having customers modernize their industrial systems but cautioned it's very disruptive and expensive for organizations to rip and replace what they have in place today. Protecting the industrial assets organizations currently have with existing technologies is typically more realistic and cost-effective, especially given that newer industrial systems will also require cyber protection.
"The awareness is still lacking in the OT world," Cristiano said.