Rockwell Automation, Inc. (ROK) Earnings Call Transcript & Summary

Hello, and thank you for joining today's webinar. Before we get started, we have a few housekeeping items. The audio for this event will be streaming through your computer speakers. So make sure your volume is turned up and your speakers are turned down. Our webinar platform performs best on Chrome and Firefox browsers. On the lower left-hand side of the presentation, you will see a Q&A box. We encourage you to answer any questions you have here, and we will answer them at the end of the presentation. If you're having any trouble connecting to the webinar, please take a moment to refresh the browser and disconnect from your VPN. If you're still having trouble, please clear cache. We have instructions in the handout section of the webinar platform. All of the panels of the webinar platform are adjustable to resize, simplicate the corner to adjust or hit the maximize the screen at the top right-hand corner of each panel. Today's event will be recorded and will be available right after it's completed. You can access the recording utilizing the same link that you use it to access live event. After the webinar, we will also be sending you an e-mail with the resources from today's event, including slides, handouts and event recording. Additional information regarding today's topic can be found in the handout panel on the webinar platform. With that, I would like to introduce our speaker from today, Brian [ Deacon ].

Hello, everybody. Welcome to the first installment of 1 of 7 in our cybersecurity series how to protect against cyber threats proactively. Today, we're going to talk mostly about the NIST framework as much as anything else. So it's going to be fairly high level, we can dig down into the weeds, if we'd like. There is a Q&A available. I'll try to get to a few of the questions as we walk through some of the content. I did see an initial peak of some of the folks who are with us today from all kinds of different industries. And what's really exciting about the NIST Cybersecurity Framework or NIST CSF, as it's commonly referred to, is that it got to start really around critical infrastructure, even banking, but water, airports, the rest of the 16 identified critical infrastructure sectors set forth by CISA, but its widespread adoption has really taken off over the last 10 years or so. And just this August 8th, less than a month ago, some exciting news came out. And if you haven't seen it yet, but NIST 2.0 is now available. And we will walk through the existing 5 pillars of the NIST cybersecurity framework. But on August 8th, NIST did announce NIST 2.0 Govern a sixth pillar to the framework. And we'll talk a little bit about Govern as well. But Govern more or less has to do with organizational risk, risk management, supply chain risk. And I think that's what it's all about. The fact that Govern was missing in the past shows that, that was left mostly to each individual company and there wasn't any guiding framework. But now that we have this framework to work off of, I think it's really critical, especially from the Board level down and into the C-suite to understand cyber risk. I mean cyber is no longer just on the sidelines. It really is being recognized alongside legal risk, financial risk, supply chain risk and it's all the way to the top of the boardroom. I'm sure, as everybody knows. So thanks again for joining us, and we'll jump into the agenda here. We're going to start out with a couple of questions just to get grounded and figure out kind of where the audience sits with some of the -- in relation to how you would apply any of the frameworks out there today. And if you are, we'll look at some challenges in cybersecurity today. Why is it so difficult to solve some of these problems. We'll take a look at Rockwell Automation's approach to industrial cybersecurity and how we align into the NIST framework to help solve our customers' cybersecurity needs and help them mature more in the space. We'll take a look at a demonstration of an assessment that gets us aligned to where some of our gaps are in accordance to the NIST cybersecurity framework. And we'll take a look at a quick summary and some upcoming webinars here as we continue the series. Again, as I mentioned, this is just the first of 7. First question here, just real quick. It's a yes or no. We'd like you to answer, if you could, please. Do you currently align with a cybersecurity framework. Any framework that you're aware of, anything that your organization is doing with alignment to a particular framework. We'll take a look just at where we are from an audience here. We'll give it about 20 seconds or so. Thank you. Looks like quick answers are coming in. The majority, 60-plus percent answering yes. Looks like we're about half answered. So it looks like upwards of 60-plus percent with over half the respondents in do apply to some type of cybersecurity framework. Good to hear. Good to know, good to see that there's that awareness out there, and we're actually doing something. Just a year ago, we've taken similar polls like this. And I would say that number probably was split 50-50 at that time. So making progress, awareness of frameworks, application of that framework implementation of some of the asks inside the framework looks like it's taking hold and for good reason. So if you did answer yes and you are looking to use a framework you use one today, please pick one here. NIST being the one at the top and perhaps the most popular. But ISA, NERC/CIP, depending on the industry, of course, ISO could be in there as well. So we'll give this one just a minute as well. Thank you. Looks like most everybody familiar with NIST, utilizing it. Okay. We'll just give a couple more seconds here. And again, 60% of the folks out there that are using frameworks and cybersecurity frameworks to guide their policies, procedures, governance, the risk modeling, risk maturity are familiar in using this. So excellent to see. Maybe I won't tell you anything new here today, but there's always something new to learn. I've got a couple of stories to tell with some folks that I've cross paths with over the course of time here and interesting stories about their implementation of NIST, their application of the framework itself, the maturity of the framework especially as we move into the NIST 2.0 as well. So thank you for those that answer. I appreciate that. Moving on. Not surprising. I don't think that any statistic I pull out is going to tell somebody that they may not already know. But 600% since the start of the pandemic is astonishing and the headlines are all there for us every single day, every which way, whether it's the amount of money that is being paid out to malware and threat actors, where the treats are coming from. We continue to learn more about the actual threats themselves. But it's not surprising how much it's increased. I will say what is more surprising is that it's increased in the industrial manufacturing space more than anywhere else. And so manufacturing is the #1 attacked sector that is above finance and above anything else. So I think just a couple of statements about that. The legacy unpatched infrastructure we all know of, of course, creates a very vulnerable target, the IoT environment, people wanting to do more with less remote workers, digital transformation, of course, that landscape gets much larger through that action. Insider threats, we must -- we often think of cyber attacks as perhaps just from the outside, just from bad actors. There are insider threats as well. Of course, this lack of skilled resources, the number of open positions and head count to fill roles that are focused on cybersecurity. Most organizations that I work with, I sit in a unique position here with a North American role in our Cyber & Security business. I get to talk to a lot of customers on a daily, weekly basis. And their organizations are evolving and changing. I can always tell the most prepared organizations are the ones with the most organized team of people around this, that real IoT teamwork. I ran into an organization that created the [ TITO ] organization, IT/OT backwards. And so I knew that they had a real focus in this area. And just interesting to see where this IT/OT convergence is really happening. I think we've talked about IT/OT convergence for a long time now, but have we talked about it from an organizational structure. What really matters is OT people understanding IT and IT people understanding OT and where that's happening inside of our organization is where we're seeing some progress made. But again, manufacturing, not surprisingly, attacked, but most attacked is something that caught me a little bit by surprise. I had a conversation again earlier this week with somebody about the Logix platform, Logix from its inception is going on 25 years old. So it's not just PLC-2, PLC-5 installed base, right? It's a Logix installed base that could be 25 years old and certainly aging and certainly consider legacy to some degree as well. Moving on, the challenges in general here are just astonishing and what we have ahead of us. This is where the do something matters more than anything else, right, just because not being prepared is where we get ourselves into trouble and where most organizations have fallen flat. They just didn't do enough or they didn't do it the right way. They didn't use a framework. They didn't use a strategy. They didn't use standards. And if you don't, any one of these could really become the source of the attack. The complexity of these threats are just complicated. And the folks who are carrying them out are getting better at doing it. They're very sophisticated. They have sophisticated tools. There's a reason that it's called an ATP, right? It's an active threat, right? It's always constant and they can live in environments for a very long time, undetected until they're ready to launch them all where launch the attack. The widening skills gap as we mentioned, currently, job openings are up over 30% just in the past 12 months alone. It's being recognized at a Board level, many things like NIST, NIST 2.0 mandates from the Federal government in the United States around critical infrastructure, certainly have caused organizations to act new disclosure around publicly held companies reporting to the SEC within 72 hours of an incident, continue to put focus in this area and then emerging threats. So more connected devices, IT/OT convergence, digital transformation is causing a wider, a bigger threat landscape. And therefore, more opportunity for there to be an attack to happen. Rockwell likes to talk about taking a proactive approach. And the proactive approach is really necessary. It is not only about what happens before an attack, but what can you do during because it's probably not a matter of if it would be a matter of when. Something happens with all of the threats and all of the threat landscape that exists in an organization today. But what happens after an attack as well. And that's where NIST really helps us. It's flexible by nature. It's voluntary by nature. What you do is really up to you as an organization. But thinking about it from 5 pillars and even the sixth pillar now as Govern comes into play here and we think about things like organizational risk, risk management, supply chain risk, how do we incorporate that throughout the entire attack continuum. So what happens before we need to identify what our possible threats are, what are the vulnerabilities associated to our asset base. How do we protect that? We couldn't identify. We couldn't protect what we couldn't see. So the approach of NIST and its common sense about, I really need to identify everything in my environment, identify the associated vulnerabilities, prioritize those vulnerabilities, and then protect it. So it seems to really make sense. What are the measures I can go through in order to protect all of what I see as my prioritized vulnerabilities. And then moving into what happens during an attack, the detection of it. So whether or not I have identified all of my threats and my threat landscape, and I've been able to protect them and isolate them perhaps new threats, emerging threats, as we discussed in the previous slide there, not a matter of if, but when, how are you detecting it? Are you detecting it in real time? And then what are you doing once you've detected? This respond and recover are kind of looped together, you kind of lump these 2 together as well. Normally, after an attack, you're thinking about what is your response to that attack and what is my recovery of that attack as well. I was speaking with a Deputy CISO, who had worked at an insurance company and then moved into a technology company here as well. And she said that they did NIST in reverse. And people who do NIST in reverse are not doing it on purpose. It can be done in purpose, but this was not her action. And what she said was, we were able to write respond and recovery plans in real time because we were responding and recovering. And so we were taking the action of response and recovery, but we were building a respond and recover plan at the same time, which I thought was interesting. And then she went on again to say, I learned so much about our organization through the response and recovery efforts. I learned we didn't identify all of our asset base. I learned we didn't learn how to protect our asset base. I learned that we did not have the right measures to detect certain types of attacks. So respond and recover and NIST in reverse could be a strategy as long as you haven't waited so long that you're doing it during an attack is my recommendation. And then to throw in a little bit of the NIST 2.0 flavor here is that what are your governing policies associated all that? How are you measuring and identifying the risk mitigation strategies as you're moving through identify, protect, detect, respond and recover. So again, I just -- I like the common sense of the approach, I like the flexibility of it. You can pick and choose parts of the category, you can pick and choose what you think your organization is ready to take on, and you can prioritize those actions and show your Board, show your leadership, show your shareholders that you are taking action and you are learning and finding out more about your risk maturity. The other part of this is the circular nature of it as we move and mature into the next phase of NIST, NIST 2.0, reassess becomes part of our plan here as much as anything else. You've done something -- now we need to take an assessment again to find out if we've actually closed the gap from the original assessment that we had taken. So the nature of some of these reassessments is really important in each of these phases to measure ourselves in the effectiveness of the actions that we're taking. But in general, the NIST cybersecurity framework or NIST CSF helps businesses of all sizes, understand, manage and reduce the risk and protect their networks and their data. It's unbiased and it enables long-term security and risk management. There's companies that I'm familiar with that have been working within in NIST framework and using that as they're guiding light for their security, maturity and their security policy, their security plan for years, multiple years. And with some of the adaptations of where we are with NIST, like the reassessments and like the governed policy, I think it really can stand the test of the time to continue to be the framework to help guide your organizational strategy in this space. The flexibility, the adaptability as your organization changes, you can use the framework to change with you. I think the future requirements and compliance is important as well. If they come out with a new standard, it will -- you'll be able to apply it back into NIST and there's some examples of that as well. I'll jump into just a few more details here.

Let's see if I can answer a quick question. I do see some in our chat here. Scott asks with aged infrastructure, production sites have an installed base. Does Rockwell have a strategy to make patching their software platform easier. Scott, we're always looking at ways to make patching easier. It's not a one size fits all. I'm sure as you're aware, patching is probably one of the more difficult things that we have to go undertake. It's a very difficult task. The interoperability of what we do in a manufacturing environment is extremely critical to the way the operation runs. And that's one of the biggest issues without having organizational structure as all my IT department handles that. I'd be -- I'm very skeptical of organizations that tell me their IT departments handle their OT security. I just -- I find it very hard and very difficult to come to grips that the IT folks have the knowledge of what the OT resources have and have that understanding that simply patching something isn't going to solve your problem and could further create much larger problems such as downtime, machine effectiveness and so forth. But that is one of the risks. We're always looking at it. We look at security, I think, today from two different angles, one being product security and then one being actual cybersecurity from an organizational perspective. Product security is a Rockwell product initiative, and we try to incorporate that as much as we can in our offerings. What we try to do here with NIST is, again, be unbiased, be extremely agnostic and extremely horizontal across industries. But yes, there are more tools, there's more technologies. There are more processes that can help us. One thing I have failed to mention at this point in time about NIST is a higher inclusion and a higher importance placed on the people, processes and technology part of what NIST is. Nothing will work, right? If we don't consider people, process and technology. I talk to customers and people all the time that if you're looking for technology to solve your problem, you're probably in the wrong place and you will go backwards if you just think technology will solve your problem. I'll give you an example of that as we get into the detect category here, but we need to keep people process as technology at the front of what we do. And people process technology is certainly a part of what a patch management program should look like. So thanks for the question, Scott. We'll try to get to a few of them as we continue through. But first, if we look at identify, this is just about thinking about what your risk profile looks like. How big is your asset base. How big is your threat landscape? Where are you vulnerable? And it really just starts with an asset inventory. I wish we had another poll question here, but maybe just thinking your own minds. Do you know and do you understand how many assets you have in your environment today? How big is your threat landscape? Where are you vulnerable? What are the associated vulnerabilities to your asset base? And have you prioritized them? Is there an asset sitting out there today that is unpatched, unidentified, that is perhaps the way a threat actor could do harm to your environment and to your network? The only way to do that and the only way to know that and understand that is either to do that in real time through an intrusion detection system or take snapshots of your inventory at time with various tools as well. The other types of tools in this space are network security assessments, in particular, network security assessments that are comprehensive in nature and they are done in accordance to standards like IEC 62443. So there are a lot of assessments out there. There are a lot of network assessments out there. I would be very cautious about the type of network assessment that you're doing and how it reflects a standard, especially IEC 62443. Again, there's a lot of risk assessments out there. I would want to think that most risk assessments do apply to a standard like NIST, but a NIST-based risk assessment is really important because it will show you not only the areas that need improvement, but they'll categorize them as well and they should be able to prioritize them as well. If you're looking at just singular points of attack pen testing can be a very effective way to identify risk and then again, vulnerability assessment. It's one thing to have all of your assets in inventory, but the associated vulnerabilities of those particular assets are important as well. So there are a lot of sophisticated tools in this space. I look for the ones that apply standards. And then I also look to ones that can help you in an ongoing way. The one that will get you to another step is what's most important to me here. This is just an assessment. It's only as good as the sheet of paper. I cannot tell you how many times somebody does an assessment and puts it in a drawer, does not act upon it, whether it becomes a funding issue, whether it becomes an organizational issue, whether the data they got, they just don't trust. So doing this right and getting this part of the NIST framework is critical because this is the baseline for what you are going to do next. Perhaps it's even the baseline for what you're going to do next. And next, you can set forth a several paths just by getting identify right. Moving into the next category here protect, I said it before, but you can't protect what you didn't identify. So now that you have something identified, what is it that you're going to protect? Is it an unpatched piece of aging asset base, and you're going to have to go ahead and segment that network. Is it that your entire network is not segmented. More importantly, if it is, is it done correctly? Is it according to a standard like 62443, and I do know that my IDMZ is built and architected correctly so that IT/OT traffic passes between the layer 3.5 in a purdue model network and gets from the plant floor to the enterprise and enterprise to the plant floor as well. And it's safely, it's securely mannered. Many people have IDMZs, many people have not set up an IDMZ correctly associated to a standard and really take advantage of what an IDMZ is. And then further downstream into the network and into the plant, where are our network segmentation needs. And you will not find that out until you've done the correct types of network assessments. OT data center deployments. So this is infrastructure, compute infrastructure. This can maximize uptime, if done correctly. But having somebody who can administer and life cycle data center, 3, 5, 7 years on some of this equipment is probably all you're going to get. So it will become very vulnerable. At that point in time, having somebody manage it, password protect it, manage network traffic to and from loading on it as well. Security remote access, again, as we moved into the pandemic and now out of, it still is the norm for remote access to be utilized in much larger fashion than ever before. But how are we managing how much network is how many people are on our network, who's closing out of the network, once they've been in there, who's taking note of what they've done when they've been on that network as well. In the end of the day, you're trying to mitigate insider attacks, stolen credentials, perhaps accidents from the outside. When somebody is there to do something that they were authorized to do anyway. Patch Management, as Scott had mentioned it in his question in the chat. But just keep operating systems up to date and secure, it get harder than it says, but Endpoint protection, we do this with IT devices. Why aren't we doing it with OT devices. There are technology solutions, technology providers. There's managed support for endpoint protection. So just another layer of security when we think of defense and depth, are we getting our endpoint secure. And then the data backup and recovery as well, this can kind of go with the OT center, data center deployment. So for thinking of industrial data centers, where is that information back up and recovered from this could be things like historians, asset centers as well from the product side of Rockwell security suites. But really the right strategy in place across the protect is important and thinking about all the safeguards to limit or contain an event here in the protect. See if I can grab another question here. Improvements of NIST 2.0 instead of 1.1. Arun, I think we've covered a couple of those, mostly about Govern but it includes people processes, technology. We'll go into a couple of other ones. There's expanding versions of NIST in particular. So NIST 800-55 would show you some of those improvements as well. I'll point out some of that here as we continue to go on. Detect, though is really about real-time threat notification and access. So when is something happening in real time to the network and asset or end points how quickly can you detect that? And how quickly can you understand that? I'll share an example, native to Rockwell's environment. We've installed our own intrusion detection systems at a facility -- a fairly modern facility. It has a CPwE, IEC 62443, modernized network. But the minute we install the technology 400,000 alerts and alarms. Now that, to me, is a real big skills gap because I don't know of anybody who has time for 400,000 alerts and alarms. If you get 400 e-mails in a day, I know it's a long day. If you get 400,000 alerts and alarms associated to what's happening in an environment. Nobody is going to be able to even absorb that and understand that. So this alert fatigue, alarm fatigue is absolutely real when you're installing this type of technology. And as I mentioned before, the people processes technology part of this. So what are you going to do from a process perspective and a people perspective to put 400,000 alerts and alarms into real context. And so, there are things like tuning exercises that you can do. Certainly, as it lives in your environment, it can understand a little bit more about prioritizing what an alert and alarm look like. But still, even if you're able to get that down to a few hundred, which is what we were able to do in our own environment through some of these processes, it required more technology to get to a manageable amount. And depending on your organization, depending on how your organization is utilizing people processes, technologies, you can still further reduce that perhaps into the hundreds, but getting it down to 5. 5 is what we were able to get this down to from 400,000. The minute this software goes into a modernized network and a Rockwell Automation factory 400,000, we're down to 5, and that was only through the use of managed threat detection services. And so this is the security operations center. If you can see my background, that's a shot of what is our security operations center. I'm sure everyone's familiar with a SOC or an MSSP, Managed Security Services Provider, but most people have them on their IT side. And here's an example that I'd give you about doing this with a real OT lens in understanding the people and process side of this a little bit more. So the technology used at a SOC and our SOC in particulars SIEM & SOAR, so it's incident response and event management technology, very familiar in the IT world, and that's where it comes from more or less. But how do you contextualize what's happening without the people in processes. So if somebody were to change a password at 3 in the morning, that may be assigned a criticality of a 3. If somebody were to change a password at 3 in the morning after multiple failed login attempts, you can assign that a 5. If the IT department in their SOC is seeing a 3 and a 5, does that mean wake anybody up? Is that time for an alert, do you shut the machine down? I would think not. I would also question whether or not anybody raises a 3 or a 5 to any other level. But again, if somebody changes a password at 3 in the morning after multiple failed login attempts and a port scan or a configuration change is made to a controller, maybe those are 5s and 7s as well, but now we need a 5 and 5 or 5.5 and 7 as far as what those were assigned from a criticality perspective, and you put together these playbooks that say, this type of story is an attack. So having the people and the processes to understand what a threat looks like and how this threat is being carried out is what causes the alerts and we'll help you get to 5 by building those playbooks by having that understanding. And so now what you do from a response and recovery perspective may change. The response to a 3 is something. The response to a 5 is something else. The response to a 10 is something much, much greater than that. So it's really this ability to stay ahead. I've seen this. I know this. I've seen this. I know this. Now it's time to do something different, whether it's automated or not, but you want to be able to do that in continuous fashion. And with 24/7 and the addition of more technology, the addition of more people and processes is what really is effective in helping to manage and stay ahead. So respond. This is really just about incident response and your communication plan and action plan. I went -- I spoke early on here about cyber security being a team sport, the [ TITO ] organization or the idea that you would have an IT and OT organization together, to go do something and make these decisions ahead of time. But how do you prevent the expansion? Something happened, I detected it. We now have to respond. How deep of an intrusion did it go? Where did it start? Where did it go? How big is it? How widespread is it? What impact could it have? How will I mitigate it and eradicate the incident from here? How do I know that I've contained it. So respond becomes extremely important. You have to be very vigilant in this particular category because everything that you've done in the identify, protect and detect is what's happened before and during an incident now is critical in order to ensure that it doesn't become a much larger incident. So how quickly can you respond to something happening? How will you respond to limit the impact to contain it to stop happening from what it's about to happen. And this obviously will have varying degrees of criticality and prioritization as well. But from who you call, who you talk to, to what you do, who has authorizations to go do the actions that are necessary and part of your response plan. But you can see that no one of these particular types of events or types of actions are more important than the other. They all have to get done, and that's why doing something is better than not doing anything at all. Having just some level of a response plan gets you started. But having a very good response plan in place and knowing who you're going to call and what you're going to do and getting everybody on that same page becomes really important because when something does happen, you will certainly want to make sure that you're responding in a quick and fast manner and effective. We cover this is just about what happens after responding. How quickly can you come back? How quickly do you restore those operations safely, of course, limiting that downtime. But how do you target the response and the recovery activities? Where did this come from? How did this happen? It's important to know that so that it doesn't happen again, but it may also help you work through other places that the attack may have gotten into. So finding out how it happened and where it happened can help you lead to other parts of your organization to see where it comes from. Most -- most attacks start on the IT side and come down into the OT side of the environment. So with that said, it's probably lived in your environment for quite some time. So once you've found it in the OT side, how can you trace it back to what's happened in the IT side to cover up holes. Perhaps it's in the IDMZ. Again, we talked about not configuring not having an IDMZ correctly implemented according to a standard and working in your favor. And then resiliency planning becomes part of this as well, too. So it's -- this is a bit of an enhanced strategy, but how do you refine it? This is the constant motion of the assessment, hey, perhaps in my respond and recover plan, I should put something back into it. I'm going to have to take a different proactive approach here, but ultimately reduce as much of the impact as you possibly can. Let me see if I can find a question here. How vulnerable is basic nonnetwork water pump station VFDs, Ethernet connected, central PLC and auto. It's always difficult to say how vulnerable they are. Some things like a pen test can tell you just that answer. Some things like a risk assessment can tell you how vulnerable something is -- so if you have a device or you have a particular operation that you think is critical and you think may have a vulnerability or a weakness or you know that they do. I would certainly suggest the type of assessment that tells you what the gaps are, what the vulnerabilities are, what the issue is and perhaps make some recommendations out of that as to what can be done, whether it be segmentation, whether it be patching, whether it be migration. That may be one of the only answers. But again, how far can you go to protect a particular asset or a particular operation as well. So it does matter which one you pick, I think seeking out support and help to find out exactly what the deliverable is associated to an offer is important and it will that produce the outcome that you're looking for. So good question. Thanks for that. Just looking at this top to bottom and not horizontally across and attack continuum. There are things that everybody could do and should do. Now no one organization, I think, is doing all of these to the most effective manner. Some are very mature and some have been at this for a long time and some have the right organizational structure. Some have the right funding. Some have the right skill sets and partner sets and technologies and people and processes to go do this. Managed services certainly are a big part of how this effectively gets done from a people and process standpoint. The technology is out there. There's a lot of technology today. I think I've seen a slide from our CISO at Rockwell that shows we work with 20-plus technology partners and vendors from varying degrees and varying sources to try to operate our security strategy. I think 16 is the last number of averages that I've seen. Rockwell is a fairly holistic capable provider of a lot of these solutions, and we work with lots of customers to provide multiple solutions. I think what really is important is this getting started in doing something and plugging into this journey and plugging into this framework where you're able to do something. Customers always ask me, "Well, what should I do? There's all this on a sheet of paper. I got to get it all done. There's all kinds of recommendations, but I say do the thing that you're going to do and you can do, right? Don't pick something that you're not going to do for 9 to 12 to 18 months. Maybe it's in the background and maybe you're looking at it, but pick the one that you are going to do because it may help you make a different decision about what you're going to go do next as well. A quick question from Brian out there. Does RA have supported or recommended vendor list for network security assessments and vulnerability assessment tools, Rapid7 or Qualys? We recommend our solutions. We have technology partners who we work with in order to deliver types of network assessments, vulnerability assessment tools. We'd be happy to speak with you, Brian, about that. There are a lot of pieces of technology. But again, it's about how you want to incorporate that and how you want to move that forward. The important part to me to answer is, am I prepared for the results of what this is going to tell me. I've seen a spectrum from the Board level down to the plant floor about why you would do something or why you wouldn't do something. And the Board level is afraid that you're not going to find everything and the plant floor is afraid that you are going to find everything. So they both provide an opportunity for risk. They both have varying degrees of, am I doing my job correctly or not? Am I going to have more work to do if I go find everything? How much more risk do we have if we don't find everything? So you got to really put together what this teamwork in this organizational structure look like. So you're able to make the right decisions about the right products, the right technology and then make sure you put the people and processes in behind them. Moving on. This is a pretty neat little security assessment. So this is free. It's about 25 questions, and it will show you where you are within an industry rank relative to your peers, I think we've got upwards of 1,000 different responses now. So we're getting a pretty broad base across a pretty broad stroke of industries. And I would take what the results of this assessment are, not totally as [ hard ], but as a guide. And the results ultimately will align back into the 5 categories of NIST and tell you where your biggest deficiencies exist and then provide some recommendations according to what we just went through within each category that possibly could help you be more prepared. So this is a cybersecurity preparedness assessment, and it's a starting point. It's again free. It will give you a baseline according to your industry and an example of it will kind of look like this is your overall score. And that's your overall score relative to others within that same industry. So if I'm a food and beverage customer and I take this, my preparedness is roughly 50% of the average of others in my industry, and the idea is to try to do something or change something in order to bring your category score in each of the categories higher. So if I'm the most efficient in detect I might be looking at real-time intrusion detection as my next step. I might look at better ways to identify my asset base. I may look at some things that I can do inside the protect category as well. It seems like this particular example included somebody that had a fairly well written, a fairly comprehensive response and recovery strategy. So again, just points you in the right direction and digging a little further into it. industry average scores kind of look like this as well. But this is just a sampling of what the results look like that you can get from taking such an assessment. And here on the next slide, you can grab your phones and take a picture of the QR code, and that will give you the link to the assessment. So I'll give it a minute here for the -- everyone to catch up, and I'll see if I can find something in the chat. Very good question in the chat. Is the Purdue model still relevant during IT/OT convergence? I love that question. I love that question because -- my answer is that it's becoming less relevant. It is absolutely still relevant in the context of an IDMZ at Layer 3.5, you just simply are not going to have the same network in your enterprise as the same network in your OT environment. There's a lot of different protocols in an OT environment, right? Hundreds of industrial protocols in an OT environment. And therefore, they do need to be segmented. They do need to be treated differently. And so from that regard, a Purdue model to me makes a lot of sense. But I do have a lot of discussions with a lot of customers about the disappearance of the Purdue model, a network is a network. And the factory floor is in the enterprise and the enterprise data is in the factory. That's where we've been headed for a long time, and that's really what Ethernet has done. And I had somebody explain it to me before like this, the world is really, really flat with Ethernet. Anybody with a computer who has a connection to an Internet can be on whatever network they want to be on anywhere in the world. That's a really powerful statement. It's also a very scary one. So the Purdue model, to me, is relevant around the fact that we need to understand it from a security perspective, take into consideration the differences in an OT environment versus an IT environment. But as far as the disappearance of networks and network layers because of Ethernet, I think it's a double-sided coin there where you've got to consider that, that network is all one and the same to a large degree. Take another question here. If everybody has not already gotten to the assessment piece of it. What mitigations are recommended for vulnerabilities when firmware updates are difficult and costly? It's not feasible to update thousands of PLCs. Another very good question. Philip, thank you for that. Segmentation is my simple answer. I know that's not a simple answer, but I think I would take a look at a Crown Jewels assessment. What assessments are so critical to my operation that if they're attacked, if they fail, if they go down, my operation completely stops. And I would start there to understand what type of backup recovery, what type of segmentation, what I like to deploy in order to keep those assets operational and keep the part of the facility that is considered a Crown Jewel in that instance. I understand migration of thousands of PLCs because of vulnerability notice. And in particular, Rockwell had its own vulnerability announcements just here in the past few weeks. We worked with a partner in [indiscernible] discover those and take recommended action. And so I understand the amount of vulnerabilities that exist and the amount of effort it takes to stay up with what it would take to patch that. But segmentation would be a short answer to that. There are some other things I think we could take a look at as well. I'll move forward here for the sake of time. We've got just about 5 minutes left. So thanks for hanging here with me. In summary, no single product or technology or methodology is going to take care of this problem. I think we all know that it is a massive effort from an entire organization to go do this. things like mist, things like what NIST 2.0 is asking for and asking us to do is how we will help solve some of these problems. We will not solve all of them, but we will move our maturity forward in these states organizations will become more secure through these types of actions and through these types of implementations of people, process and technology. I think we spoke to this just a little bit earlier about being overwhelmed and the number of things that are out there to do. The focus really needs to be on what are you and your organization prepared to do? What are you going to fund? What are you going to resource and how are you going to adopt it? Adoption at the end of the day is extremely critical. Adoption of the people, the processes and the technology, only your organization will be able to fight your organizational crime. So keep focused on what you can do. This early and open dialogue, the team sport is essential, concentrate on the known probable threats, take those assessments and work towards figuring out what you can do to reduce, mitigate the threat and then move on with another assessment to see how far you've matured and see what the new possible threats look like. You can't protect what you can't see. So that risk-based strategy around understanding a static environment to begin with, but doing that in real time is what becomes critically important as the constant evolvement updating of the landscape will change of course. And then work with trusted partners, so people that know this space, I think, is extremely important. There are a lot of cyber security providers out there, whether it's single point technology, whether it's consultants and everybody is working towards the same goals, it's really critical for people to understand the controls environment and the number of assets, the age of the assets, the interoperability of those assets, the crown jewels inside a facility that make an organization run and what becomes their most profitable and meaningful assets are important. That is -- that can be lost sometimes. And I've seen people take only an IT lens at this. And I think those folks have seen the consequences of that. It really needs to be a 2-way street working together with the entire organization there. Pretty close to the time here. I just wanted to say thanks to everybody for participating through the chats. We will make sure everybody gets an answer back to everything in the queue there. It helped make it a little bit interactive throughout here. Again, this was just part 1. So if you're going to hang with us for the 7-part series, there's going to be a lot to learn. Some of my colleagues will be participating here. Part 2 coming up September 7, how to identify cybersecurity risk. So we'll jump right into the very first category of NIST with Identify. We'll move through protect, detect, mitigate losses, respond, recover in a restoration one for Part 6 and then how to get your C-suite, your organization bought in, if they're not already. How do you get them on board with what is the return on investment inside cybersecurity. I know that could be an oxymoron for some. And I trust -- everybody understands that it's not -- because if we don't invest in cybersecurity, we are going to be investing in recovering from cyber attacks. So thanks to everybody for their attention. Thanks, everybody, for their diligence in this space. Feel really passionate about what we're able to do. Here, I feel really strongly that Rockwell could help anybody who was looking for it. And hopefully, we've already had some conversations with a bunch of the folks on the line here today. I'll try to get to all the questions I can. And I really appreciate everybody's time. Thank you. Have a very nice day. If you could hang on for 1 more minute and take a post webinar survey and register for any of the upcoming webinars just right there. Thank you so much. Have a great afternoon. Have a great day, all. See you soon.