Rockwell Automation, Inc. (ROK) Earnings Call Transcript & Summary

Hello, and thank you for joining today's webinar. Before we get started, we have a few housekeeping items. The audio for this event will be streaming through your computer speakers. So please make sure that your volume is turned up and your speakers are turned on. Our webinar platform performs best on chrome and Firefox browsers. On the lower left-hand side of your presentation, you will see a Q&A box. We encourage you to enter any questions you have there, and we will answer them at the end of our presentation. If you're having trouble connecting to the webinar, please take a moment to refresh your browser and disconnect from your VPN. If you're still having trouble, please clear your cache. We have instructions in the handout section of the webinar platform. All of the panels of the webinar platform are adjustable. To resize, simply click on the corner and adjust or hit the maximize screen at the top right hand corner of each panel. Today's event will be recorded and will be available right after it is completed. You can access the recording of course utilizing the same link that you used to access the live event, and after the webinar, we will also be sending you an e-mail with the resources from today's events, including the slides, handouts and event recording. Additional information regarding today's topic can be found in the handouts panel of the webinar platform. And with that, I would like to present our speaker, Travis Tidwell. Hello, Travis. How are you doing today?

Good day. Hello, everyone. Thank you for allowing me to be here and kick off with you today. Doing well. All right. So let's go ahead and start it. Again, certainly, thank you for joining me in this 7-part series as we navigate through the NIST Cybersecurity Framework. As mentioned, my name is Travis Tidwell, and I am very excited to be here with you today. Last week, my colleague, Brian, he kicked this off in the 7-part series with part 1. And today is part 2 of the series, which really is going to be focusing on, identifying risks, right? And this session, we will dive into the NIST Cybersecurity Framework. We will focus specifically on the identified function. And it's really a foundational pillar that enables organizations to develop and implement their own security framework strategy, right, in order to manage cybersecurity risk. So it's important to note that before we get started, I wanted to highlight one of the reasons why we're running this webinar series. And last year, Rockwell, we performed a -- we had one of our third parties that is performing an assessment survey to gauge our customers' preparedness, right? And we interviewed a wide mix of industrial security leaders, executives, plant managers and business managers. And that survey, it really kind of validated some data points that we kind of knew, but it just underlined the fact that many of our customers still have security gaps. Key highlights from that survey point out key things around -- 73% of survey included infrastructure, organizations, experience some type of cyber breach. Also around 20% conducted asset inventory on a not so frequent basis. And less than 30% had cybersecurity plans in place, which is an underscore that gaps still exist. So given the threat landscape, it was very clear, I'll say, to the Rockwell team that we have work to do within this industry that we serve. Specifically given that a lot of our products, the solutions are in this environment that we must support collectively to protect. And that's really why we're here today, to really kind of focus on how can we help identify security gaps based upon leveraging the NIST Cybersecurity Framework. So I'll let that kind of kick us off. And this here is really just an outlook on the agenda today, the journey that we'll take. We will start with the overview of the NIST Cybersecurity Framework for a brief recap. We will also kind of navigate through the identified function of this framework. And really, as you look to establish how identifying a risk with business context, we want to explore the different categories of that pillar for key considerations. We'll start to round out with some of Rockwell capabilities, going through a customer case study. And as we close out, we want to offer out access to one of our free cyber-preparedness assessments and then just kind of do a readout on key talking points that we discussed as well as give a timeline on some of the upcoming seminars that will be following this event today. So let's go ahead and get started. All right. So this is an overview of the NIST Cybersecurity Framework and the core pillars that we're very familiar with. The framework provides, as you know, a methodology for developing and implementing some type of a strategy that helps you manage risk across your enterprise. And with this framework initially [ banned ], I'll say, developed to support the critical infrastructure, it has become very applicable to other organizations who desire to manage their cyber risk. It provides guidance on these 5 core functions. And under the newly released 2.0 version that was built, I think, early last month, 2.0, there will be 6 pillars now. These functions that we know are coming on as identify, protect, detect, respond, and recover, and under the 2.0 version that is being released, the governance pillar. So that's a very important pillar and more updates I know will be coming in the months to come around that. But that being said, relative to these pillars, you don't necessarily need to choose one function over the other. They work in conjunction with each other, right, as we think about risk management strategy. So each one of these functions, they have categories and subcategories, which drill down to specific steps that an implementer can execute when it comes to applying this framework. And today, we're going to be zeroing in on the identify pillar with brief touch points going some governance aspects. So as we continue to move on, often times talking with customers, and a big challenge that a lot of organizations have is lack of, I'll say, a unified cyber strategy, right? And part is because of their perceived risk that is, is perceived in different ways, as different various SMEs, stakeholders within that organization seek to align on risks and different priorities. And this can make it very difficult and challenging to get everyone on the same page. So the NIST provides some great benefits as it was developed by a broad community of security professionals to give that comprehensive and unbiased viewpoint. And that's part of the reason why the adoption of this framework continues to grow. And even in Rockwell itself, we continue to be volunteers that participate in this process. So with it being built on recognized practices, it really kind of helps enable long-term risk management strategies. It helps adopt and utilize the risk-based approach, which makes it very flexible, customizable to your organization. And most importantly, I'll say, the communication gap gets addressed. It really helps to bridge communication gaps between different stakeholders. So with, I'll say, the effectiveness and the flexibility of this framework, let my animations build out here, Rockwell, we utilize this NIST based approach not only internally to help secure our own, I'll say, global infrastructure, but we also use it externally to engage with you guys, our customers, to help them really develop and implement a risk management strategy. So whether it's going from strategy development or to tactical execution, we map our broad portfolio of capabilities to this framework and the specific reason for that is simplicity, right? There's a common question that we get asked often with our customers is, how do I start my journey? Or even, how can I advance it further? So this approach, it really allows us to offer a guide where we can work with our customers based on where they're at and help them advance further in their journey. And that journey really starts with identify. All right. So when we think about that, right, in terms of what that really means, when we talk about identifying, that is, we are really talking about a risk management strategy. And any risk management program, I'll say, it works off the concept of visibility, right? That concept of visibility, and before you can protect anything, you need visibility. And that's why the identify function is the first step in the security framework. Underneath that identify function, there are several categories as shown here. And these categories were listed by the CSF community in this order to really provide like a logical flow and structure to identify key outcomes required to manage cyber risk. And within identify function in itself, the first step is that, we hear this often, you really need to get your arms wrapped around the assets within your environment. You really need to be able to understand what's there, so you can kind of start to manage that within your organization. And from there, you can better start to kind of, I'll say, understand your business environment, the objectives that depend on those assets, right? You can also start to identify, refine, maybe document what that security governance framework should look like relative to that environment. And from there, you're also able to, I'll say, better understand the risk exposure that your organization may face based on associated threats and vulnerabilities. And also leverage that context, I guess, right? This context is key. We want to be able to leverage that context to help inform the risk management processes in order to help prioritize what those risk management decisions are. And that also allows you to better manage the supply chain risk based on the organization's priority constraints and risk tolerance. So each one of these categories have subcategories, which we will not be discussing today, but we will go through each one of these categories listed here to kind of talk to some high level, I'll say, considerations for identifying cybersecurity risk. All right. So one of my favorite categories here. And this first category is asset management. So the key question is, what does the organization need to manage and protect, right? That's the goal. What does that need to protect against. So to run any company, you need assets which consists of people, processes, systems. And those assets, they need to be identified and they also need to be managed, right? And so without that sort of blueprint of the organization's assets, there's also potential risk that they may not exist. And that's where we see where a lot of organizations they have these gaps when it comes to documenting asset inventory, applications, and I'll say, even in some cases -- a lot of cases, even policies for governing asset management. So when you think about the critical OT cyber assets that typically consist of your industrial control systems and scale systems that are controlling your operations, those are very critical components to your process. So for those assets, right, you want to be able to have detailed software and hardware inventory, which includes a wide range of, I'll say, attributes, you'll tie to the firmware version or the operating system version, the vendor, and a lot of different just relevant information that needs to be documented around that asset. Also, even, I'll say, its relevance in terms of, is that asset accessible? Where does it sit within the architecture? So I will also point out that not all OT assets are networked, or they may not all be easy to discover based on the legacy of that protocol and other maybe challenges, but it is still very important that you account for those assets as you think about protecting the full environment. So asset management, right, you really kind of focus on identifying and governing key elements within your environment such as the different devices and systems, the software applications that are [ halted ] on those systems, even the data flows that are between those systems, the interconnectivity, the locations of where they sit. And also, that kind of helps you gauge on how to prioritize those assets based on risk classification and its criticality level. And from an operational perspective, be able to gauge the life cycle status of that asset. And for my owners and operators, it also helps with the roles and responsibilities of how to kind of manage that. So in short, I know that probably sounded like that was like an order coming in. But in short, the better handle that you have on asset management, the better you are able to protect and respond to different cyber incidences within your environment. So what I want to do here is have you take a poll. So I'll let this sit out there for a minute. So I advise you to take this poll in order to really kind of engage and understand how would you characterize your current state of asset inventory management practices. So I see here -- okay, people are filling in, filling in. Good, good. Filling in. Okay. I'd give it a few more seconds. Oh, fully busy. Okay, there's few more. All right. So I know we're still a little busy. So hopefully, I got -- this looks like I've got majority of people's numbers. So this is not alarming, and I'll say you're not alone. For those who are fully documented, you are definitely in the pack. So hats off, keep doing what you're doing. For those that are still in that journey, that are partially done, which seems to be the bulk of most, keep doing it, right? The more visibility that you have, the better that you're continuing to improve your maturity level. And for those that do not have a document, I really kind of encourage you to start that process. All right. And I encourage you to start that process because it's very important that you must really know what key processes and applications are associated with the critical assets that are very essential to running your daily operations. And many organizations, as we saw, they may not have a full understanding of the assets in terms of interdependencies in the data folds between these systems and devices, which can create -- we see it time and time again -- it can create a security gap. so asset visibility cannot be limited to only certain areas within the facility or your plan. So what I have here is really just kind of an example of what a typical OT environment can consist of, right? So there are several different apartments when it comes to what's inside those 4 walls or within the parameters of what assumes in order to get products out or to provide those services. So there's different apartment systems. Critical assets reside in many different pockets of these environments. And oftentimes, they can get overlooked, because, one, they may not be documented, or from maybe not understanding of the processes, that they can be viewed as not as critical, which is not a good thing. Because a compromised system in one area of a plant, that can make other departments vulnerable to cyber risk, or even if there's a compromised system that is on machines in one area, that can make that asset unavailable, that can really kind of start to put an impact and hold productions. So for example, labeling equipment in your pantry line, if that gets compromised, you as a defender, you need to recognize what other communication and connections this has to other parts of the process, which can become a viable attack path for other areas to be targeted, such as whether it be utility systems or your processing areas and so on. So I'll say, to simply manage assets in your environment, you need to develop a deep intimate level of understanding and intelligence around those assets. And so when you think about navigating through these different categories, right, the business environment is one of the categories that is broken out under the identify function. So understanding the business environment is the key, key requirement for translating cyber security risk into business risk. So it's very imperative that we understand the value of those assets to the organization's mission. The value of an asset can be defined by the risk of revenue or it can be defined by the risk to safety of an employee, if impacted. Certainly, especially if you're working within one of those utility type of industries at the power plant or something to that extent, so it's very important to understand that. And with that level of understanding, that can help organizations distinguish between critical and noncritical systems and processes. And certainly, as we think about that, and for obvious reasons, organizations are required to mitigate risk that could impact their mission or key business objectives, which are typically tied to quality and safety, tied to the reliability of the supply, having a stable supply, and also some of the essential services that serves in our daily lives. So this business environment, it really gives perspective to an organization's role in the supply chain. And as you know, from a critical infrastructure sector that provides essential services, including even our critical manufacturing that is, if operations are disrupted, the stakes can be very high. We've seen -- over the last few years, we've seen different attacks that have had an impact. You would think about the Colonial Pipeline. That had an incident where that made viral headline news with the crisis of shortages, and that was impacted where I met in the Northeast area of the U.S. And then we think about the Oldsmar water plant, where there was an attempt to contain the water supply. Thankfully, that didn't turn out the way it could, but that could have been very catastrophic. So the key takeaway here is that without identifying proper business context, it just becomes that much more difficult in order to proactively manage risk decision status. All right. So when we think about a governance aspect, so I'm very happy to see that this has its own spotlight, and I'm looking forward to seeing some of the upcoming updates under the 2.0 version. Because you cannot effectively have a security program without adequate governance. Governance is one of the biggest barriers to implementing cyber security program, especially from an OT perspective. Why? Because it helps establish clear roles and responsibilities for implementing and managing your security programs. And many OT screen programs, they struggle with fair adoptions due to a lack of clear roles and responsibilities as well as the policies and the standards that outline some of the security requirements. And those security policies and standards, they really help set expectations and drive accountability, right? So as part of running a business, you have to think about the different risk categories that must be informed and addressed appropriately as part of that governance process. When you think about compliance from a regulatory perspective, when you think about public safety or environmental aspects, when you think about from a cybersecurity data breach or maybe impact to your IT or your infrastructure systems, that has its set of categories that need to be informed from a risk perspective. As well as operational, the safety of people, the availability of your manufacturing environment. And then we think about, whether it be strategically or financially, how does that have an impact tied to your trade secrets or intellectual property or the secret sauce, as one may call it. So these are some of the different categories that must be informed and really need a governance to kind of help drive that out and try alignment with the different sites as it relates to advancing your cybersecurity program. All right. So this kind of brings us to the risk assessment process, which really kind of starts by understanding your assets and their business value, right? What does that mean to the business? And as part of your security framework, right -- so you just kind of went through a little bit of the governance, you need the ability to be able to discover internal as well as external threats. And in many cases, you may be able to leverage different threat intelligence to do that, being able to discover internal and external threats. And when you think about different vulnerabilities and so forth, you want to be able to identify what vulnerabilities are associated with those assets and how could they possibly be exploited. And when I say vulnerability, I know there's a lot of different security tools that gives visibility to CVE scores and things like that, but I'm not just talking about vulnerability in the form of hardware or software, I'm also talking about from a cyber-resiliency perspective. You need to also be able to identify vulnerabilities within your business continuity plans, your disaster recovery plans, as well as, especially this day and time, your incident response plans, being able to have an effective incident response strategy. So this is kind of where you really explore vulnerabilities from a 360 view and not just CVE scores, right? Because that doesn't necessarily translate well to a loan that is to business risk. And what you can do in order to understand your risk of exposure is you can do different types of scenarios. Often we're seeing scenarios like pen testing, right? Or we might see the whole red team in or purple team in exercises, threat content activities, or even the various factors as well to get a gauge of table type exercises. So the objective of this risk assessment process is really to provide risk-based insights, right? We want actual insights that can be used in the form of organization of their risk exposure to operations, assets and resources. So one more polling question for you all. I'll let this sit here for a few seconds to gauge understanding of when was the last time that you were able to perform a risk analysis in the case of your critical OT assets. Okay, I see results are still coming in. We'll give that a few more seconds. Okay. All right. Okay, I see it's particularly -- all right, I'll go ahead and close it out. So a distributed response, right, we have, which is a good thing. I see that in the last year, a good portion of people, roughly 30%, have done it. So that's great, keep doing that. Few within the last couple of years. Those that are below the 3- to 5-year point, I certainly encourage you to explore that, right, in terms of really getting to understand your assets, getting to understand what that means to the business, and then kind of start to do a risk analysis against that in order to start to build out a strategy. So as we, I'll say, continue on, right, as part of that risk assessment process, it should not only capture security risk, but it should also capture operation risk. There's an integrated challenge with security and operational aspects, right? So it's very important for all the different stakeholders to become aligned on risk. So from a, example, security perspective, right, the spotlight could be focused on different concerns as it relates to, do we have a compromise, or maybe an affected asset in our environment, or maybe are we vulnerable to a certain type of cyber-attack? Or maybe even from a compliance perspective, are we as compliant with cyber security policies? And when you think about balancing that with your operational perspective, that spotlight could be raising concerns around, you know what, we may have a modernization challenge with obsolete assets or systems that cannot be patched or systems that cannot follow a standard life cycle time line. Or an instance where, if we are breached from a site perspective, do we have a local robust site resiliency plan that our site resources can execute against, as well as what does our modernized infrastructure look like? Do we lack a modernized tree architecture? Or do we have architecture and we just don't realize, it hasn't been properly configured. So these are the joint perspectives that really kind of help you unify a cyber risk program. And just quickly, I'll say just kind of circling back to this, right? Because as part of a closed loop process, risk assessments, they really help the organization and those enterprise risk management team take a risk-based approach. And that's what we want do. We want to take a risk-based approach. This really helps drive -- when we think about risk-based approach, what does it do? It's helping to drive security investments. It's also driving maybe time lines for modernization initiatives, or even upgrades that may support business objectives. And when we leverage these risk assessments, these online assessments, they help define and inform those positive standards, because within those positive standards, you have key requirements that are really driving a portfolio of controls, which are designed in order to kind of answer organization security capabilities. So when you think about things like network security or monitoring tools or endpoint protection or pull in threat intelligence, these are all different capabilities that are being driven by what's important to enhance the organization capabilities for strategy management. So each one of these capabilities, they still map back to some suite of policies or standards that are really aimed at mitigating some type of risk or threat to the business. So governance helps drive attention, and helps drive a closed loop process and the risk assessments are a key asset in that process. So I'll start this one here off with a comment that one of my customers had actually told me, I thought it was accurate, and he told me, and it goes, every business, it runs off decisions, and no organization lacks risk. So for me, that put things into perspective of a common challenge that each organization has, right? So one, you would never be able to secure all things all the time, which we know, and no organization has unlimited funds to accomplish that. So how do you select what are you focused on? Because you don't have unlimited resources and budget. And that's where an effective risk management strategy comes into play, where this process, it really enables organizations to make operational risk decisions based on the potential impact to the business. And there's key activities that are part of that process, right? You examine a risk, you want to prioritize the risk, and you want to develop a plan to respond to that risk. And as part of examine, I'll say that risk, there's a couple of things that determines the best of course of action for that, right? So your factoring things like business goals to determine, okay, does this have an impact to maybe some of our strategic goals. Or you went through asset criticality, right? So we kind of define kind of what that means. And then there's also these parameters around risk appetite and risk tolerance. If the risk falls within it, then it might be accepted. If the risk falls outside of those parameters, then a decision will need to be made. And that's kind of where it may be elevated to your risk management team. And some of you may sit on that risk management team as a stakeholder from a site perspective, right? And as part of that process, you're helping to prioritize the risk to determine what's the best response strategy that we need to develop for this? Do we accept it? Do we mitigate it? Or do we transfer that risk. And each organization, they may use different factors to help kind of prioritize that, which could be based off the risk exposure that's there, or this is very helpful as well, or sometimes maybe business impact analysis, what does this mean. Let's do a business impact analysis. And then that point about cost, right? And that has the type of cost benefit analysis of what does that mean implementing the appropriate response, right? And then to prioritize that, you want to develop a risk treatment plan. And that's kind of where that risk treatment plan should be your response to that risk. There's a lot of different controls. We have some upcoming sessions where we'll be talking about that. But your response could be things around the need to add more protection controls, detection controls, or maybe even response controls. And obviously, as part of that closed process, you want to continue to monitor risk relative to new changes in the threat landscape. Yesterday it might have been acceptable, tomorrow it may not be acceptable based off new threats, new business initiatives, new systems being connected up. So that's why that closed loop process comes into place as ways to monitor that. So this is just a straight way to drive the point home in terms of minimizing risk, it starts with identifying risk relative to the objectives based on what we're trying to accomplish, right? So when we think about from Rockwell's perspective, right? These are things that we're helping our customers with every day. And what feeds into how we help our customers identify risk are a few things, right? So we provide a range of different assessment activities, those assessment activities based on where you're at, what you're trying to accomplish and do, write reviews, to deep analysis. In many cases, we also conduct asset inventory evaluations, maybe some asset mapping and valuation in regards of critical assets in different vulnerabilities. We also conduct network audits and assessments to really bring visibility and expose the risk that you may be susceptible to. And as well as part of that reassessment process, we're really identifying other threats that could possibly be exploited within your environment. So from pen testing, we do these exercises where we may have our pen testers, they may perform various exercises to kind of really try and determine what type of risk scenarios that your organization may be susceptible to, and then in cases where we want to have something that's more impactful or surgical, as it relates to business impact, we may do some type of kind of tailored analysis in order to perform that impact analysis by understanding, one, what's the asset's value versus the organization. Also by evaluating key risk factors, things around like material costs, safety, recovery time objectives, and so forth. Right? So the goal here is that we help our customers with getting their arms around understanding their risk. We provide them with risk-based insights, so they can be able to manage risk much more effectively and mitigate it more properly. So NIST here, right, really kind of drives into Rockwell's, I'll say, risk assessment methods, right? So we're very flexible from that perspective. But our methods are based on NIST Cybersecurity Framework, as well as other lower recognized standards and practices. We recognize the industry that we serve, the industrial industry. So we also follow those recognized standards alongside the NIST Cybersecurity Framework. And certainly, as more attacks are targeting the industrial control systems, we actually have been seeing obviously an increase in requests from our customers. In terms of -- they're requiring a 62443 based assessment against their cyber program, as well as their critical industrial or assets or control systems. So what we see on the left-hand side is just an example of a standard approach that we often take with our customers. And this multidimensional approach, it really kind of helps inform customers of their level of compliance relative to those standards like 62443. It also helps them evaluate and understand that the true state of resiliency that exists and we provide reports on some of the key risks and vulnerabilities that, that site may be facing as it relates to the threat landscape. Also, I'll say that the last thing I'll knock here is really tied to that security is embedded into the fabric of our organizations in terms of when we think about one of the pillars of this framework, supply chain management. We back our power supply chain. So as a trusted partner, we definitely take pride in our 62443 certification. So the right side, it really kind of reflects Rockwell's commitment, right? We take the security costs very seriously. So we want to make sure that our customers' security journey is supported. So we really want to elevate our commitment to bring visibility to that we're in journey with you all. So this really kind of highlights key certifications that include not only our say, internal security development life cycle processes, but also even the products that gets where we put on OEM equipment that lands into your environment. So this is also a focus on our products and our services and expert capabilities that really help our customers be able to design and secure requirements, and also be able to define what type of target levels they want to be at and incorporate those into their standards. Okay. So this is just, I'll say, an example here, right? Because we have been able to help a wide range of customers identify gaps across their environment, right? So this is a use case of one of our mode of customers. We serve a lot of different customers, but this is out of one of our mode of customers, who -- they had some concerns about potential risks or exposures that could be exploited relative to the vulnerabilities that they were concerned about in their environment. So think about ways that an adversary gains access to a network or to assets. They wanted to make sure that they weren't exposed to that. So they collaborated with us. They wanted to launch an investigation, our team of ethical hackers, right? They leveraged pen testing exercises in order to discover different types of vulnerabilities and demonstrate control of assets within that production environment. Now obviously, we do that in a safe way, a safe manner. Just to kind of simulate this is the attack path that might have been taken. This is the different tools and tactics that may have been leveraged. And we report in a collaborative way, right? We're reporting on the results, we report on those findings, and then working with them to remediate those gaps. So this was just an example of how we walked through that exercise with them as part of that investigation process. And then from there, started to help them build out a plan to remediate and address those gaps across a few of their sites. All right. So I'll say, kind of as we start to kind of summarize, right, it's really about translating cyber risk into business risk and being in a position to manage that risk properly, right? Because our goal is to make sure that the business is running safer and is running in a secure manner. And you want to definitely make sure that you're taking the collective steps. There was good responses that people reported today that you are taking steps, that you have started the journey of starting to identify risks and you continue to get better. Keep doing that, right? Those are the proactive steps that you need to take in order to really kind of identify cybersecurity risks and see how that has an impact on your business objectives that is, right? So these are a couple of things that I wanted to start to kind of close out with as in relation to how can you go about doing this. What are some things that you want to do is focus on definitely changing the IT versus OT narrative, right? Align all risks, align all scenarios, unify your cyber program. Change that narrative. That's very important. We have a common goal and common objective that we're after. Also, continue to document all risks and threat intelligence around those assets, right? And it starts with identifying what you have. So continue to identify your assets and document as much information around it and do it in a robust manner. So that way, it's working more efficiently and effectively as well. Also, oftentimes, security projects, they don't get funded, because they may not have the right context, or they may not -- or leadership may not understand it. And actually, we're going to talk about that in one of the future webinars. But you want to offer adequate information that really helps them examine the severity of the risk, right? So you don't want to just be taking a list of CVEs and vulnerabilities to management. You want to take a store, you want to take a picture around what does this risk mean. You look at severity. And then that kind of helps ranking against other risks, right? So that helps them kind of prioritize the risk. And from there, you can develop a strategic roadmap that really looks at how do we pull the gaps on these risks. That might be a combination of things. Like I mentioned before, we may have to do modernization projects, we might have to implement other security controls, but this is how you prioritize it and do it in a manner that really provides a ______4327__feedback back to what this means to the business. And then from that, you want to be able to have a step-by-step and detailed action plan. What does that mean as far as risk treatment? What are your go tos? What are the things that we need to go tackle? How do we tackle it, right? So that's where we kind of want to make sure that you're developing an effective risk response strategy relative to that risk that we identified, and then obviously, continuing to stay diligent, visually that is, right? You want to make sure that you're continuously monitoring risk as the threat landscape continues to change. And then also, as you mature, we're starting to see organizations starting to look at different types of maybe metrics. There's maturity that's going to be coming around that, but you want to be able to monitor how these controls are performing? Keeping it simple, are we better or more safer than we were yesterday, right? And that's what it's about. Making the progress and allowing the business to run in a more safer manner than it did the day before. So, as we will be ready to close out, as I mentioned, I want to offer up a tool that we are now making available to our customers in order to help them start that process. And it really starts with kind of understanding and identifying where you're at. So online, we have a preparedness survey assessment that really allows you to kind of gauge where you're at, and it really breaks it by industry, region, industry, and it's been very effective with some of our customers who have started to use it to really say, "I now have more insights of where we're at, and like I have a better organized plan around how I want to get started or take this case of management." So this assessment, it ranks you and rates you within these different categories. It takes a few minutes to complete it. and then you get a report that's generated. It's all personal reports, it's confidential. You can download it. And you could use this as a way to get some insights, ask the right questions, start to rally your team really around a security strategy. So I encourage you to access this. It's available. It's online. And this here, I'll give a few minutes that will allow those to be able to just scan a QR code and get the access link for this. So I'll let this sit here for a minute. I'll take a sip of water actually at this time. All right. We will be sending that information out, so you will have access to it. As I mentioned at the beginning, we started this journey because -- as far as this webinar series, that is, we started this because we were taking inputs from our customers, we were running different types of surveys, leverage the third parties to get a pulse on what are some of the barriers that customers are having when it comes to improving their security programs, and with recognizing the gaps, we said, we want to make sure that we're doing our job in order to form and make our customers aware of different ways they can go about attacking these challenges, and we're doing that through a series of webinars, right? So today, we went through the identify function pillar. And then we're going to be going through all the other different pillars that are part of this cybersecurity framework. So this is a list of what's coming out. Next week, we're going to be -- on the 12th that is, I invite you to tune in to -- talking about how we are going to help the organizations to protect in case of attacks, followed by detection and also kind of looking at response strategies to mitigate losses, and then going to how we store, recover. And most importantly -- I won't say most importantly, but this is the big part. Everything needs to be funded. So how do you make a case and sell that case to your cyber executive team. So on-demand is part 1. You should go back and access that. Brian laid out good sort of steps to take in order to develop a proactive approach. So with that, I will end there and take maybe a couple of questions. Let's go in to see if we have any questions in the chat.

All right. So Brent, great question. So he says, does Rockwell have a list of vendors recommended for pen testing? And the short answer to that is, yes. I'll say, we have our experienced cyber team that specialize in these different capabilities. So we have a dedicated team, that is, of ethical hackers that specializes in doing these different types of tasks. So the short answer is, yes, we do have a list of vendors and it starts by a lot of our internal SMEs that are part of our cyber excellence team. Okay. I see here. So here the question here is what is Rockwell offering for automatic backup restore and disaster recovery? Great question, right, because you want to have a robust recovery plan, right? So we certainly have tools and capabilities that help with that. And obviously, this requires capabilities that are vendor agnostic, right? So we do have vendor agnostic tools. So one of the platforms that we do use is part of our FactoryTalk AssetCentre. That is a tool or platform that a lot of our customers leverage as part of their disaster recovery and change management strategy. So we also look at that and leverage it from a situation of, one, understand what are those assets that are part of critical processes? Do you have backups of those? Have those backups been tested. Do we have them documented? So we have the tools, but it's more of a just a tool in itself. It's also understand and testing to make sure that you're ready to respond. And that ties to a bigger story around your resiliency strategy. So I would say, think about your overall silent resiliency strategy, which operates from the assumption that if we have an incident, what does it take to quickly recover, right? Because assuming that we're already compromised, what do we need to recover, what are the key pieces that are essential to that, and are we ready to go? And then that process dictates the tool. So a great question. So I'd say just make sure that you also tie to the broader narrative that is. Right. Let's see. Brian, another good question. What tools does Rockwell have available or recommend or support to perform asset inventory for servers and workstations? So yes, we have a collection of tools, right? And we work with a lot of our technology partners. So we work with a lot of the best-in-class technology partners. We have a whole ecosystem of partners, and also even tools ourselves that we utilize. So it ranges from different types of tool sets that we may use. There are different characteristics to those tools. But I'll say this, the way that you want to do it, you want to do it in a passive manner, you want to do it in a safe manner, and do it where it's not disrupting your operations. So we do have a lot of partners. For example, we have partnerships with Dragos. We have partnership with Claroty. We have partnerships with Fortinet. So we have a broad set of partners and technology stacks, but you also want to think about the process and how you go about doing it. And then how you do that effectively to align with your operational goals. Let's see here. This question here is, what tools can we use for document asset management automatically besides using AssetCentre? Yes. So great question, again. Asset management -- AssetCentre, that's one tool within our toolbox or our technology stack. So when you think about the need for ongoing automated capabilities with asset inventory, there's other types of partners that we work with, that does it. And we work to bring it together, in an integrated manner, that really helps you identify the key things that matter most. So not just the status of that asset, but also security parameters around that. So again, we have different partners that we work with that I just listed a few of them. So we bring the right tool set to the problem, but we start that problem -- we start addressing that by understanding what is it that you're trying to address, understand your current processes for document assets, and then we wrap our capabilities. And we also provide innovative solutions, where we have a dedicated innovative team that takes core technologies and apply them in ways that our customers are looking to solve unique problems. So hopefully that answers a little bit more. Let's see what else we got here. Let's see. The question says, well, what standards is our risk assessments based? Does it follow the NIST or 62443? Good question, because -- we blend them together. So the NIST Cybersecurity Framework, it provides a guide. It provides the logical steps that you fall through, and as you get into those categories and subcategories, it then references the standards. Standards give -- things tend to construct in measure. So it references 62443. So you can use the NIST to get an understanding of the maturity when it comes to certain capabilities around your protection, detection, and so forth. 62443 allows you to get more measurable standards. And so with the industrial automation and the environment we're serving, 62443 really takes into consideration the uniqueness of that environment. So we're doing risk assessments that include both, right? So we're doing 62443 type of risk assessments where we're ordering your network, we're looking at configurations, we're looking at traffic flows from the connecting designs in terms of security, policies, targeted levels, and making recommendations to say, this is where you're at based on where you want to be relative to 62443. This is what you need to do in order to kind of close that gap. And we can link that back to the core pillars of the NIST Cybersecurity Framework. So that way, you can say at management, we are running these activities that addresses this capability in order to reduce the attack surface. So it's a unified [indiscernible] approach, and you can definitely call with more questions on what does that mean specific to your organization? I think I may have time for one more question. There's a lot in the chat. And I will say we will be responding to all these questions that are in the chat. There's just so many that I can't really get to. Let's see. This one says, what is Rockwell's cybersecurity assessment offering for both air gap and IT/OT connected RA systems? Also, does RA conduct pen test similar analysis on no Rockwell systems or complete systems inclusive of Rockwell? The short answer, as we're out of time -- we got it in. The short answer is that our cybersecurity services are vendor agnostic. We are looking to protect the environment. I don't care if it's Rockwell or not Rockwell, and we do the pen testing in a safe manner. Our team is specialized in these areas of how to do that and do it in a collaborative way. And we do it in a meaningful way to ensure that -- threat intelligence from what we're seeing, let's look at that scenario, I see if you are vulnerable to it, and then let's address the gaps based upon that. So that there, it takes us to the end of time. Thanks again everyone for sticking in here with me for the last hour. It has been great connecting with you all. A lot of good questions here. Sorry, I might haven't been able to get to them all, but we will be sending this out in e-mail and look forward to talking with you all in the future, and don't forget to join our upcoming webinars.

All right. Thank you very much, Travis, for this insightful webinar. It was a pleasure to hear all of those interesting insights. At the close of this webinar, I would like to remind you that in case you didn't get an answer to your questions, just don't worry, we will do this by e-mail. You will get a follow-up e-mail a couple of days after the webinar. So with that, I would like to thank you for attending today's webinar. And in an effort to keep improving and providing topics of value to you, we kindly ask you to participate in our brief survey that will pop up just after the webinar is done. And if you would like to speak to a representative for more information, you can make that request in this post-webinar survey, so that our representatives can get back to you with some more information on the products that you would like to know more about. We look forward to seeing you again at our next webinar, and I wish you a great day ahead. Thank you very much, and have a good day. To you, Travis, as well.

Thank you.