Rockwell Automation took it upon itself to not follow in the footsteps of the Ukrainian company that made the M.E.Doc software used to spread the NotPetya malware in 2017.
“We do not want to be the threat vector that’s used to get to our customers,” Dawn Cappelli, Rockwell Automation’s vice president of global security and chief information security officer said to SC Media’s Derek Johnson during an eSummit on third-party risk.
With other instances where software was used to spread malware, “we could see back that many years ago that this was going to become a trend,” Cappelli said.
Click here to watch on-demand the Third-Part Risk eSummit, “Overcoming supply chain and other outsourcing threats.”
At the time, security of IT security and operational technology were separate, but Rockwell Automation realized the entire ecosystem needed to be addressed. Its solution: the “connected enterprise ecosystem” security strategy.
“Basically what that means is we protect ourselves — our IT, our OT, but that includes third parties, our supply chains. And we protect our products because we need to make sure that they can’t be tampered with to get to our customers,” Cappelli explained, adding that mergers and acquisitions and the cloud are also included within the security considerations.
Cappelli also noted that ransomware groups figured out in 2020 that manufacturers are much more likely to pay the ransom than software and tech companies, because IT environments are more equipped to recover from attacks. Manufacturers also face distinct risks tied to their own suppliers, Cappelli explained.
“We have seen customers who had to actually shut down their operations because their supply chain was taken out by cyberattacks,” she said.