Endpoint Security , Governance & Risk Management , Internet of Things Security

Verve Purchase Gives Rockwell Leg Up on Asset Identification

Buy of Industrial Cybersecurity Firm Verve Will Help Customers Spot, Remediate Risk
Verve Purchase Gives Rockwell Leg Up on Asset Identification
Mark Cristiano, commercial director of global cybersecurity services, Rockwell Automation

Rockwell Automation's buy of industrial cybersecurity vendor Verve will help businesses better handle one of the biggest challenges in all of critical infrastructure: asset identification.

See Also: SASE: Recognizing the Challenges of Securing a Hybrid Workforce

Industrial organizations need to manage plants located all over the world, and some of them were built in the pre-digital transformation era while other facilities came into the fold through acquisition, said Mark Cristiano, commercial director, global cybersecurity services. He said risk scoring, asset identification and vulnerability identification are the key pieces for securing critical infrastructure (see: Rockwell Forges Gen AI Pact With Microsoft, Buys Cyber Firm).

"Verve does a really good job of asset identification and risk quantification, as well as making recommendations on remediation," Cristiano said Tuesday during a Rockwell Automation Fair press conference in Boston. "It lays out a road map - a plan for them to be able to quantify their risk and improve their risk conditions."

The Keys to Industrial Cybersecurity Success

Critical infrastructure organizations must prioritize network segmentation to obtain better control over how traffic flows across their infrastructure, Cristiano said. In the event of a cyberattack, he said, segmentation allows companies to shut off the affected parts of the network, isolate the unaffected portions of infrastructure and continue to keep as many production running as possible.

"On the OT side of the infrastructure, it's very noisy."
– Mark Cristiano, commercial director, Rockwell Automation

Another common countermeasure at industrial organizations is threat monitoring, which Cristiano said takes a snapshot of what good communication looks like in a particular client's environment and uses that to identify and alert clients to anomalies. From there, he said, Rockwell's managed services can help organizations figure out which alerts need to be prioritized.

"On the OT side of the infrastructure, it's very noisy. There's a lot of chatter going on," Cristiano said. "And there's a very specialized skill set that you need to bring into that environment."

Operating an industrial facility without an incident response retainer in place is like driving a car without insurance, according to Cristiano. In addition to offering incident response retainers, he said, Rockwell can also provide penetration testing on a periodic basis to figure out where the openings are as well as tabletop exercises that bring the entire organization together so everybody knows their role in a breach.

"It's a cross-functional exercise," Cristiano said. "It's really important we work with customers to try and simulate that attack so that everybody knows what happens."

How Risk Reduction and Modernization Relate

Rockwell has also devoted resources to auditing network inventory given the frequency at which assets change - making a snapshot-based approach essentially meaningless, Cristiano said. The starting point for most industrial organizations is a security assessment, which helps businesses both get their arms around cyber risk as well as communicate that risk to other stakeholders in the company, he said.

"What we've seen be successful is developing an action plan and funding to be able to go remediate this," Cristiano said.

He said he's all for having customers modernize their industrial systems but cautioned it's very disruptive and expensive for organizations to rip and replace what they have in place today. Protecting the industrial assets organizations currently have with existing technologies is typically more realistic and cost-effective, especially given that newer industrial systems will also require cyber protection.

"The awareness is still lacking in the OT world," Cristiano said.

About the Author

Michael Novinson

Michael Novinson

Managing Editor, Business, ISMG

Novinson is responsible for covering the vendor and technology landscape. Prior to joining ISMG, he spent four and a half years covering all the major cybersecurity vendors at CRN, with a focus on their programs and offerings for IT service providers. He was recognized for his breaking news coverage of the August 2019 coordinated ransomware attack against local governments in Texas as well as for his continued reporting around the SolarWinds hack in late 2020 and early 2021.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.