Rockwell Automation, Inc. (ROK) Earnings Call Transcript & Summary

Before we get started, we have a few housekeeping items. The audio for this event will be streaming through your computer speakers. So make sure your volume is turned up and your speakers are turned on. Our webinar platform performs best on Chrome and Firefox browsers. On the lower left-hand side of the presentation, you will see a Q&A box. We encourage you to enter any questions you have here, and we will answer them at the end of the presentation. If you're having any trouble connecting to the webinar, please take a moment to refresh your browser and disconnect from your VPN. If you're still having trouble, please clear your cache. We have instructions in the handout section of the webinar platform. All of the panels on the webinar platform are adjustable. To resize, simply click the corner to adjust, or hit the maximize screen at the top right-hand corner of each panel. Today's event will be recorded and will be available right after it is completed. You can access the recording utilizing the same link you used to access the live event. After the webinar, we will also be sending you an e-mail with the resources from today's event, including the slide, handouts and event recording. Additional information regarding today's topic can be found in the handout panel on the webinar platform. With that, I would like to introduce our speaker for today, Fernando Goncalves.

Juliana, thank you, and hi, everyone. And thank you for your time today. I'm Fernando Goncalves. I'm responsible for the commercial development of the cybersecurity services in Latin America region within Rockwell Automation. I will talk today about the importance of detecting cyber threats in a timely manner. It's important to say that this is our fourth webinar in our 7-part series detailing the NIST Cybersecurity Framework functions and how to apply its key concepts to build and implement a solid cybersecurity program strategy for your business. So these are the topics we will cover today. We'll start with a quick overview of the NIST Cybersecurity Framework and its benefits. Then, we'll get into the key categories and objectives of the detecting function. We'll review the threat models, our capabilities and offerings supporting the detecting function with a case study then some recommendations for building a solid business case. And finally, a summary with details about the upcoming webinars. Again, if you have any questions, please use the Q&A function. Our team will make sure to provide the answers during or after the session. All right. The NIST framework -- the NIST Cybersecurity Framework was first created in 2014 in response to an executive order mandating increasing -- increased cybersecurity of the nation's critical infrastructure. Since then, it has been widely adopted by organizations of all sizes in all industries, voluntarily or through mandates. The framework has been structured around five key functions: Identify, protect, detect, respond and recover with a total of 108 subcategories that define the practices organization should consider when assessing their own cybersecurity program. It is designed to be vendor-agnostic and scalable. Proposed enhancements aim to align the framework with current best practices. Notably, a new govern function was introduced in August 2023 to emphasize cybersecurity risk management governance, shifting some categories from the existing identify function to the new govern function. The intent of this change is to highlight the importance of any security -- cybersecurity program to develop appropriate policies and procedures, assess and prioritize risks, and clearly define roles and responsibilities. The NIST Cybersecurity Framework can be used in conjunction with other standards like Critical Infrastructure Center or the CIC in Australia; the European Union's Network and Information Cybersecurity Directive; the Germany's Platform Industrie 4.0; the U.K.'s National Cyber Security Center; or the International Society of Automation, the ISA; the IEC 62443 standard for comprehensive cybersecurity programs implementation. So the NIST Cybersecurity Framework offers numbers -- or numerous advantages as a voluntary approach developed by a collective of cybersecurity professionals. It's widely recognized as an industry best practice, providing a comprehensive set of controls. By leveraging the insights of a diverse community, organizations can identify blind spots, grasp different perspectives and enhance cybersecurity. The framework enhances trust within supply chain and support business growth by maintaining security standards. Moreover, the NIST Cybersecurity Framework bridges the gap between technical and business stakeholders through its risk-based approach, facilitating integrated risk management aligned with business goals. This fosters improved communication, justify security budgets and develops a common language across different departments from IT and OT to the boardroom. The framework flexibility stands out due to its risk-based and outcomes-driven nature. It's successfully employed across various industries from critical infrastructure to smaller enterprises. Thanks to its customizable and intuitive core functions, it's a practical blueprint that accelerates adoption and offers continuous guidance. Lastly, the NIST Cybersecurity Framework is forward-looking, making it dependable tool for developing and adapting cybersecurity programs to align with evolving standards and regulations. So it's important to say that the Rockwell Automation cybersecurity portfolio of solutions and managed services are mapped to the widely recognized NIST Cybersecurity Framework. Using this framework, makes it simple for clients to understand how Rockwell Automation solves key categories of industrial cybersecurity. So the detecting function. Detect refers to developing and implementing processes for the timely detection and discovery of cybersecurity incidents or events. The first category in this functional area is anomalies and events identified as anomalous activities, are detected in a timely manner and the potential impacts of the events are understood. The second category under this functional area is security continuous monitoring. And it's described as the information systems and assets are monitored at discrete intervals to identify cyber security events and verify the effectiveness of proactive measures. The final category under this functional area is detection processes. It's described as detection process, and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. Now let's look at the types of threat information to be monitored and analyzed. Baselines are used to set minimum security safeguards for IT and OT systems, allowing organizations to apply security thresholds and conduct risk analysis reviews for high-risk and critical systems. Deviations from the baseline trigger alerts and organizations should establish initial security baselines based on system categorization while also implementing detection strategies, controls and sensors to proactively mitigate threats and gather intelligence to identify potential security breaches. It's essential to learn from detection activities by analyzing recurring or high-impact incidents in all functions. The major types of threat information, for example, would include indicators. These are technical artifacts or observations that suggest an attack is imminent or is currently underway, or that the compromise may have already occurred. This can be from your IDS, intrusion detection system; the IPS, intrusion prevention system, firewalls, logs or audit records. The tactics, techniques and procedures, also known as TTPs, describe the behavior of the actors. TTPs is a concept in terrorism and cybersecurity studies. The roles of the TTPs in terrorist analysis is to identify individual patterns of behavior of a particular terrorist activity or organization and to examine and categorize more generic -- general tactics and weapons used. The same methodology is used in cybersecurity to look at attack patterns and vectors. So then the security alerts also known as advisories, bulletins and vulnerability notes provide technical notifications regarding current vulnerabilities, exploits and other security issues. Similar to incident response reports, threat intelligence reports are documents that describe TTPs, actors, types of systems and information being target -- targeted and other threats related to information that provides greater situation awareness to an organization. So the threat intelligence reports is threat information that has been aggregated, transformed, analyzed, interpreted and enriched to provide the necessary context for decision-making process. And finally, the tool configurations. These are recommendations for setting up and using tools that support the automated collection exchange processing, analysis and use of the information. So I think it's important here -- the important here is to understand the type and complexity of the visibility information that needs to be managed considering the levels of visibility in the OT environment. Bottom line, you cannot detect what you cannot see. So let's talk now about the most common threat actors within the industrial control systems landscape. We are typically talking about cyber criminals, terrorists or nation states that may want to go after supply chain or intellectual property of an organization to either gain a competitive advantage or take down those assets, right? But a lot of the other threats can sometimes be inside risks whether that's malicious or not. So that's why it's important to be aware of the threat actors and their motivations. For example, nation state actors conduct computer intrusions to steal sensitive state secrets and proprietary information from private companies or in other words, espionage. Or the nation state actors sabotage military and critical infrastructure systems to gain an advantage in the event of a conflict. So the insiders. So trusted insiders steal proprietary information for personal, financial and etiological reasons. The terrorist group sabotage the computer systems that operate our critical infrastructure, such as the electrical grid, normally, to call the attention of the society about an etiologic matter. And the activists use computer network exploitation to advance their geopolitical or social cause. And finally, the cyber criminals, individuals and sophisticated criminal enterprises steal personal information and extort victims in financial gain -- for financial gains. Now the threat actors. Now that we know the main threat actors and their motivations, we'll take a look at the typical network architecture to see some potential doors that can be used to get access into an industrial contract system network infrastructure. First, we see the actors classified as insider and external. The incidents may occur by actions of one of them or most likely by a result of coordinated actions of them both. It's quite an interesting dynamic here as we are seeing the evolution in threat actors in the compute services that they are targeting and in the different ways they are targeting infrastructure within the manufacturing space and exploiting vulnerabilities such as unsecured remote access, unsecured credentials, poor network segmentation, third-party access, outdated operational systems, vulnerable protocols, default or shared user accounts, right? By knowing the threat actors, their motivations and how they can get access into the network infrastructure, either as an insider or external, it's important to be aware about the signs that may indicate a cyber incent is undergoing. Unusual user activity, such as time of access, repeated authentication failures or logging from unusual locations, unusual network behavior, such as communication or nonstandard ports or uncommon high traffic due to the -- due, for example, a large file being transferred, suspicious registry changes, such as a new registry keys from unknown applications. And DNS requests irregularities such as DNS requests to an external host or a DNS communication during nonstandard hour -- work hours, among others. As you see, there are several factors that need to be monitored and contextualized in order to detect a cyber incident as earlier as possible and then run the countermeasures that will protect your business. So next, I will ask for your participation by helping us to understand what types of technologies or methodologies you are leveraging to improve the industrial cybersecurity posture in your business. So please feel free to select all the alternatives that most apply for your business and click submit. I will give you about 20 seconds to answer this question. Then the summary will -- with the results will be shared after the webinar by e-mail. Right. Let's walk through some alternatives here. So computer cyber hygiene external service for installed base evaluation. So are you using industrial firewalls, data diodes, physical and/or electronic access control measures, security zoning, segmentation, IDMZs, threat detection monitoring tools? Are you guys just starting to consider, use these kind of technologies or measures or methodologies? So no plans or funding at this time? Or not sure where to start? So feel free to select and click submit. Again, the results will be shared by e-mail after the webinar for the live participants. Thank you. Okay. So I will talk now about the Rockwell Automation's threat detection services capabilities that are allowing our customers to stay ahead of the threats. So first, let me walk through the common threat detection challenges and how we are addressing them. Even though I believe that some, if not all of you are very familiar with them. So the first one is alert fatigue. So the growing number of alerts require investigation and overwhelms the staff. So the system tuning services will help on limiting the false positives. So the second challenge is the lack of context and actionable data. So the alerts do not contain sufficient context to take precise action. So the alert triage is necessary to help on prioritization. Limited staffing bandwidth or skills. The inability to guide OT personnel on how to remediate OT alerts may be minimized with an alert remediation guidance that speed ups alert resolution. Management and maintenance. Routine updates and patching required for peak performance will need software maintenance support to stay up to date. And then insufficient reporting means the existing reports do not show if cyber posture is improving and why. So the value reporting with the KPIs will show the cyber posture trends. So with that said and understanding that these challenges have potential to cause several severe business disruptions and downtimes, Rockwell Automation has been developing a comprehensive set of capabilities and offerings that are helping our customers to stay ahead of these threats. In a nutshell, we performed the implementation of threat detection systems of global technology leaders as Clarity, Cisco and Dragos that may be on-premise or in the cloud, completely configured in the customers' network infrastructure. As key benefit, our customer can detect the threats across the networks, assets and endpoints. Then we have the 24/7 managed threat detection services, our SOC as a service that performs real-time monitoring of the alerts generated by the threat detection systems and quickly detect and prioritize anomalous behavior, getting in contact with the customer providing guidance for the alert resolution. And the 24/7 managed network infrastructure services that also provides real-time monitoring of the OT network infrastructure, industrial data centers and asset life cycle. So next, we have some more details about the 24/7 managed threat detection service scope of work. As you can see, it's a very comprehensive set of capabilities to help complement our customers' workforce at global scale with our domain expertise in OT. Some of the highlights of the scope of work or some capabilities of the 24/7 threat detection managed services can be seen in this slide with the benefits. So in some, like the system tuning, the software updates, the network and threat -- network monitoring, threat detection. So I think this complete set of services add a lot of value to the customers. And based on that, I will share next a real use case of the threat detection services. So in this case, our customer is a renowned pharmaceutical company with 64 sites globally that required a fast, scalable and comprehensive OT cyber strategy to mitigate risk to their enterprise. The customer implemented network segmentation at 64 sites to separate their networks and introduce threat detection services to obtain daily system asset information, including vendor, model, operational system, version and [ clear more ] details while also establishing a real-time threat intrusion monitoring environment. With assistance from Rockwell Automation, the customer transformed their security culture and rapidly implemented a globally consistent strategy to address the entire attack continuum. So all in all, submitting a strong business case involves gathering relevant data, aligning investment plans with business needs, risks and compliance and understanding organizational requirements. Key steps include conducting an audit, managing expectations, calculating the ROI and identifying suitable investment areas. Let's walk through this. Run a complete audit. Perform a true security audit to assess your current security status, identify the location of sensitive data, determine who needs access and monitor who currently has access, recognize the potential risks of insider threats and avoid granting unrestricted access to all organizational data. This process, while time-consuming provides a comprehensive overview of your security posture. Next, set the right expectation from the beginning. Cybersecurity is not a product or service. [ Shooting ] a company for losses is the only way for it to have any financial benefit. It would help if you showed how this could best -- sizably impact the organizational budget while figuring out your business case. The trick is to speak the language of numbers. For example, if you can explain how a $1 investment would stop an event that could cost $10 to the company, you can get the management to vote on your side, right? So formulate the return of investment or return on investment, the ROI, means a number of direct savings can be measured based on the size of the company, using budget elements of labor savings defined by the full-time equivalent or the FTE per cost saving per year and the reduction of costs associated with software systems and services to aid the cybersecurity management process. The direct savings may be amounts between $100,000 to $150,000 per year for smaller organizations. The number for larger multiunit enterprise usually falls within the $200,000 and $300,000 range. So determine -- determining the right areas of investment give your management the data that will determine investment decision. If visible, focus on the series of threat vectors already present, such as restricted inadequate services for employee training and security awareness, policies and processes that are insufficiently recorded and applied, undocumented proposals for untested disaster recover and company disruption, lack of device backup, patching updates and patching practices. So formulate a risk-reward equation using a tiered security approach, you can then begin directing your investment towards detecting compliance and incident response. So in summary, these are five steps we recommend for choosing the right cybersecurity solutions: First one, identify the needs of your organization based on business goals and risks; two, decide how much to allocate to each business goal and risk; third step, determine which capabilities offer the most value, find products that deliver the capabilities for the best price and then keep track of changes within your business, the threat landscape and product innovations and rebalancing accordingly. And remember, you are not alone. Reduce enterprise security risks with the help of Rockwell Automation, OT and cyber domain expertise. So at this point, I would like to pick some questions from the audience.

See here. Right. I think we've got some good questions here. So the first one, we have not mentioned any specific about the technology partners or tools, right? But we got a question, which network level do you install the Clarity application? So the answer here is -- so the Clarity or the other platforms we work with are installed at the core or distribution layer. Another question here. Yes, that's a good one. So do you have any recommendations you can give for customers that are using their PLCs with two separate communication modules to connect to their IT and OT systems together versus implementing a firewall or a full IDMZ solution? So our first recommendation here would be to immediately remove all dual device that connect to the IT and OT networks together, right? That is a big security risk. If for production reasons, the customer cannot remove this dual network device, they should implement a threat detection technology that monitors the traffic. So if they ever were under attack, they would not be notified immediately and could respond quickly. So let's pick another one. Good. Do you have any comparison data sheets of Clarity with other IT-centric tools like SolarWinds? That's a good one. And the answer is yes. So if you access the Clarity's website, you can pull down data sheet that compares Clarity to their competition and how they differentiate themselves. I would say SolarWinds proposed in a customer environment is completely different than the Clarity. SolarWinds' activity scans the network and relies on the agents being installed on devices to uncover application information and patch level. So Clarity passively monitors network traffic in dozen agents or preinstalled on any end devices in order to gather information about the network. Good. So we are good in time. So I would now share the upcoming webinars. So for the questions, we will make sure, and our team will make sure, we answer all of the questions that we have received through the Q&A, too. Thanks for the participation and contributions. So what's coming next? As I said at the beginning, this is the -- this was the fourth of a 7-part webinar series that was designed to support you to be successful, gaining adaptive support to implement a strong cybersecurity strategy to your company. So the next two webinars will be on September 19, how to mitigate losses from cyber attacks. Then on September 21, how to restore operations after a cyber incident. And on September 26, how to sell cybersecurity to your C suite. Also, you can find the parts 1, 2 and 3 on demand in our Rockwell Automation webpage. Good. With that, I would like to thank you again for the time. And hopefully, this information is very useful and actionable for you and your business. Thank you very much and stay tuned.