Rockwell Automation, Inc. (ROK) Earnings Call Transcript & Summary

Hello, and welcome to our webinar. Thank you for joining today. Before we get started we have a few housekeeping items. [Operator Instructions] Today's event will be recorded and will be available right after it's completed. You can access the recording utilizing the same link that you use to access the live event. [Operator Instructions] Additional information regarding today's topic can be found in the handout panel of the webinar platform. With that, I would like to introduce today's speakers and today's speaker, Saby Goswami. Hi Saby, how are you doing today?

Hi, good morning or good afternoon. My name is Saby Goswami. Let me -- slide -- topic, my name is Saby Goswami, I am located or based in Singapore, Rockwell. Rockwell, Singapore also hosts the manufacturing center if you know, we have globally 15 manufacturing locations. My role is, I'm Cybersecurity Commercial Leader for Asia Pacific. And for us, Asia Pacific is from Australia and New Zealand to India, to China, to Korea, to Japan, plus Southeast Asian countries that we have. We are doing a 7-part webinar series and this is one of that series and this series is framed around NIST cybersecurity framework, NIST, Identify, Protect, Detect, Respond, Recover. We are hoping that this series would help you gain executive support to successfully implement stronger cybersecurity practices in your company. Today's focus, of course, is Respond function of the CSF cybersecurity framework. That is how to prepare today to make your manufacturing operations more resilient to cyberattacks tomorrow. However, let's start with -- I would cover some of the basic framework fundamentals. So the agenda is more on the landscape and challenges that we face. Why do we need a partner for our journey? What's the NIST framework? Quickly. Then getting more detail into Respond functions, IR strategies, some examples and templates and success stories. Plus at the end, I would like to go through building a business case and cybersecurity preparedness assessment that is available at your fingertips, right? There's a lot of content by the way, in my slide. So some of the slides are more for information purposes which you can -- because deck is available to you, you could access them in future as well. But for the purpose of my presentation today, probably I will skip them quickly, and some of the slides are more fundamental, and I will more go deeper in that. Moving forward, this is a graph of cybersecurity landscape, right? Now to set the context, let me refer back to a recent report that Rockwell has published, recall in 2023 and it's available on our website, 2023 State of Smart Manufacturing study. As per the report, the report actually, we got responses from about more than 1,300 people from about 13 manufacturing countries. And their role were from management up to the C-suite. And as per this report, majority of the manufacturers, they said they're struggling to outpace competition and that is mainly due to lack of innovation, skilled workforce, technology. Close to half of the manufacturing populations who responded, they are planning to adopt, some of them already started, right? The plan is -- smart manufacturing within the next year to outpace competition, and this is small Asia Pacific landscape I'm talking about. Cybersecurity risks rank highest as the obstacle as people are trying to be forward using digital transformation, methodologies or techniques, right? So cybersecurity ranks as highest obstacle for them and why not? Industrial companies are basically prime targets for the hackers. 61% of the manufacturers have experienced a breach. 60% of the tax go undetected and underreporting is a huge, huge problem for many states. Every organization is vulnerable, most companies are not prepared, and that may lead to catastrophic event. So our recommendation is to be proactive and prepare, and then respond is something where it helps us to prepare better for an incident that may come tomorrow. However, there are challenges. 75% of the executives believe OT infrastructure is too complex and complexity we know exposes threat. Now we also know OT infrastructure and its security is different than an enterprise IT infrastructure and its security. In IT, priority is pervasiveness of data and is confidentiality, in OT, priority is in reliability, integrity and availability, uptime is the game. If there is an issue in manufacturing, isolate the problem, but let's continue. That's the mantra. Outcome in IT is more digital, in OT its more physical. So a cyber incident with an altered recipe could make a lot of damages to the society, to human and environmental subject. Endpoints in IT are homogeneous mix, with short life spend 3-to-5 years and we are very familiar with that, our own laptop, iPhones, et cetera, versus in OT, they remain for a long time. Their endpoints are, by the way, heterogenous in nature, thus specific and long time. As a result, this leads to a situation where manufacturing plants are very unique with legacy unpassed infrastructure, that attackers mainly aim. And there are just too many vulnerabilities in production environment around OT, right? We cannot just say let's pass them all as we might do towards enterprise IT. That's how it's much more complex, and we need OT specific strategy, OT specific incidence response plan, OT specific team, et cetera. The complexity along with the widening skills gap, but the question is the people, right, people. People are the weakest link. People are also the means for us to solve challenges, right? So the complexity along with the widening skills gap to understand and manage issues makes it more challenging for companies to implement security controls. So you've got to simplify this complexity for customers to have bite-sized investment decisions and progress with an effective and sustainable journey with improved cyber hedging. So quickly, again, to the fundamentals, right? On the top is the situation and the bottom 4 is the requirement, right? And then we know different adversaries, whether it's insider, terrorists, activists, criminals. The situations on the top of the challenges and the objective is to gain unified IT and OT teams for all 4 boxes at the bottom across all prioritize critical sites. The threat landscape and cyber landscape are evolving rapidly. Cybersecurity hygiene and practice is not a technology point solution deployment or a onetime event. The best approach is a risk-based approach, starting with identifying assets matched to vulnerability, then building our comprehensive and unified IT and OT cyber resilience plan then onwards. Correct. I now go to audience poll here, right? And basically, this is the 4 choices here, and I said complexity, and complexity, what we say, our recommendation is that you need a trusted partner to help you with this journey, right? So what are some of the challenges according to you that you are facing in finding a right partner? Is it the knowledge and experience of your partner? And around again cybersecurity in OT is pretty deep, right? Continuity of a partner over time, a partner can come and go versus somebody, as I said, the manufacturing is going to stay, right? They were there, we have 30 years old plan. We have recent plan, brownfield, greenfield, they're going to stay, right? So continuity of the plan. Certified consultants, people who are doing the job and people are also the worse link. One-stop shop that help you control systems, networks, cybersecurity and cybersecurity holistic [ civilian ] protection. So what according to you? And here, I'm seeing some trained -- knowledge and experience is kind of 40%, certified consultants and one-stop shop is 20%. Okay. So let me show the results. I see I move to the results section for your benefit. And I see a -- slowed it down. This is just pretty good, right? Knowledge and experience in OT. And I see -- IT security is there for quite some time. We are using -- we ourselves are using antivirus in our laptop for quite a long time, right? That's familiar. But then securing the OT is quite -- and that's what we see within Asia Pacific, where I have a lot of experience with working with the customers, there are many IT players who are also having security angles. But really, we see a lack in understanding the OT, the ICS environment, and that is what I see is the reflections. Okay. So generally, our partner, these 4 questions were designed in a way to let you know that these are the characteristics that one could look into for a good partner, lifelong partner. Let me move to the next topic here. And my next topic would be more around the cybersecurity framework. The NIST cybersecurity framework is a good recommendation model for us to build cybersecurity resiliency. And by the way, we are a manufacturer, I mentioned we have 15 global locations. We have our own size so Singapore office that I sit in, we have our manufacturing centers, more than 1,000 people. We follow NIST cybersecurity framework and IEC 62443, right? That's a go-to model recommendations. NIST framework was created in 2014 in response to an executive order, mandating increased cybersecurity of the nation's critical infrastructure in the United States. Since then, that framework has been voluntarily adopted or mandated for adoption by organizations of all sizes and in all industries. The framework is organized according to 5 functions, as I mentioned, Identify, Protect, Detect, Respond and Recover. The NIST framework is designed to be vendor-agnostic and scalable. It is also non-prescriptive. NIST has shared several proposed changes to their framework in an attempt to make it more useful and aligned with the latest best practices while the core structure of the NIST framework is expected to stay the same. Several of the proposed changes are promising enhancements to their framework. For example, recently in August, NIST rolled out the sixth function to their framework that's Govern. This new function emphasizes the importance of cybersecurity risk management governance outcome. Many of the categories previously in the identified functions such as the business environment, governance and risk management strategy will be moved to the new Govern function. The intent for this change is to highlight the importance of cybersecurity program, to develop appropriate policies, procedures, assets and prioritize risks and clearly defined roles and responsibilities. So the NIST framework can be used as the basis for determining industrial best practices. And when combined with other frameworks and standards such as critical infrastructure centers, CIC in Australia, the European Union's network and information security directives, Germany's Platform Industry 4.0, U.K.'s National Cybersecurity Center or the International Society of Automation, ISA/IEC 62443, which I said we, Rockwell Automation as a manufacturer, we follow standards. Organizations [ combining ] this can help or reap the benefit of implementing cybersecurity measures that make sense. We will be focusing more on to the Respond functions. But before that, again, reiterating some of the benefits of the framework, right? It's the gold standard. It has in-depth set of framework controls, its a selling point across supply chain and vendors. It's a selling point to our bosses within the company, right? It reduces the gap between the C-suite versus the people who work on the ground because we are all using a common language or common platform, right? And that's why it's a go-to-model. So here is the Rockwell Automation cybersecurity solutions. Many of the -- our customers, and as we speak, we've developed -- now Rockwell has a robust cybersecurity solutions, right? And that is all our deliverables and solutions and services are aligned with the NIST cybersecurity framework. And that is Identify, Protect, Detect, Respond, Recover and including the Governance that's been mandated recently, right? And this framework, using this framework and the offerings that we have, what we do, we try to implement 5 major controls. And as you know, probably from the research, right, and that is developing an ICS, OT specific, ICS is industrial control system. Operational technology, ICS, OT specific incidence response plan, and I said these plans are generally different from the IT. We help building defensible architecture, again, talking about zero trust, et cetera. Both during OT monitoring capabilities, if I'm not able to monitor in real time what's happening, I can have the best roles, but still, I need to see what is the return on investments of different investments that I'm making by having those ability to monitor things in real time, right? Then prioritizing on OT vulnerability management. And again, assets are all unique, different, right, a lot of vulnerabilities unless they are visible to me. I cannot measure, I cannot control them, right? But again, every assets and its criticalities are not similar. So how do we prioritize them. That's a big task. And then once we know what's the priority, we can set up our -- the counter measures, right? And then, of course, because of the COVID, et cetera, we are now very familiar with working from home, right, leading many players working together, collaborate over the internet, and that needs secure remote authentication. So that define controls, I see that now we implement using this framework, which we also adopted ourselves as a manufacturer. Getting to now Respond functions. Now again, I go a little deeper and here, I'll skip a few of the definitions which you may access later to the slides that you have and ask us questions later on. But let me cover the holistic -- the agenda that we have today. So Respond function. This refers to developing, implementing appropriate activities to take actions regarding detected cybersecurity incidents and events. Said another way, it's an action plan regarding a cybersecurity incident. That means I'm planning something today hoping something may come, how do I know what's going to come, right? So I'm going to create those playbooks. I'm going to create those exercises, right, understand different scenarios, have team in place with roles and responsibilities. And then when something happens, then I could check and I'm ready to respond, right? If I'm not ready to respond, there's several consequences, right? There will be a lot of last minute rushing around, et cetera. So that's the Respond function. It supports the ability to contain the impact of a potential cybersecurity incident. One of the category under this function is response planning, for example, and this is -- response, processes and procedures are executed and maintained to ensure a timely response to detected cybersecurity events. The next category in the response planning or the Respond category is the communications, right? There could be lot of rumors around inside the company and outside, and there must be a person, right, a trained person, known person, authorized to communicate appropriately, right? Minimizing the damage. So response activities are collated with internal-external stakeholders as it prepare to include external support from law enforcement agencies. The next category in this functional area is Analysis. And again, you could refer back to forensic analysis. So that capability one must have in terms of making sure integrity of data and that evidence of data is admissible in the court of law, right? And you need -- certainly mentors and experts and people who are trained for this, right? So analysis is a big part once we find data, data could come from the network, from applications, from the different medias. That's all three in the system, right? The next category is the mitigation. So these are activities performed to prevent expansion of an event, mitigated effects and eradicate the incident, right? And final category under this functional area is improvements and mostly around the lessons learned, right, identifying if there's a weakness I have found out in the process of incident response, mitigations, right? So organizational response activities are improved by incorporating lessons learned from current and previous detection of responses. The response function is about developing, implementing appropriate activities to take action regarding a detected cybersecurity event. This is where we develop our business continuity program, which consists of continuity of operations, business continuity plans and disaster recovery plan. Now here, I have listed down a lot of these different plans. Now it is advisable. We recommend that we understand these different plans and what is their scope and how they are related to each other as far as the incidence is gone, they all help in different ways, again, in getting the systems or company back to where it was working before the incident. Little bit touching on the rule of evidence here. In the rule of evidence, as you see, it's all about the data, right? I talked about we need a forensic process in place to gather information and evidence dealing effectively with physical, digital, electronic information in the chain of custody and authenticity. The chain of custody refers to the what, when, where and how the evidence was handled through its entire life cycle from collection to destruction to [indiscernible]. And in breaking the chain can cast out on the integrity of evidence. That's why we follow a formal well-documented process easily in the form of a standard operating procedure that's used in all cases with no exceptions. Remember, these are the 5 rule of evidence: it must be authentic, evidence needs to be tied back to the scene in order to be used, it must be accurate, your collection process must maintain authenticity of the evidence, it must be complete, all evidence should be collected, including evidence that supports or diminishes the reliability of other incriminating evidence. It must be convincing. The evidence should be clear and easy to understand and believable to a jury. Finally, it must be admissible. It must be able to -- you must be able to be used in a Court of Law. That's about the forensic nature of the work, right? Little bit about the backup and recovery strategy. And again, I'm touching on a few of the fundamental things that is critical for IR, incidence response planning and that is backup and recovery strategy, right? What type of data should back up, how often should I do, right? identify and implementing whether it's an on-prem or off-prem backup solutions, correct? To finally testing and monitoring that whatever I have identified, right, the work when there's an incident, right? What data, it means determining what critical data must be backed up for the company to operate and function, how often, decide the tolerance level? What is the maximum period of time between data last, and the last known backup, right? And every company has its own tolerance level, right? And that needs to be understood. Identify, implement, select an off-prem or on-prem backup solution, determine how long the restore process takes. And determine, what length of restore time is suitable for your company. And again, as I said, every company is unique, every department is different, right, in terms of criticality. Test and monitor, verify that the backup restore processes run smoothly and confirm continuous regular coverage. Okay. I now move to the next, very important thing is people, again, it's people, right? People buy from people, people solves people's problem, right? And here, we're talking about building an effective incidence response team. And remember, the widening skill-sets gap. So the question is how do you simplify this complexity that they need, right? So build an IR incidence response team with roles and responsibilities. And later on, we will saw a template with some roles, responsibility as an example. Part is involved, as I mentioned before, in OT incidence response management are significantly different to IT incident response management. And as a result, there are different implications to this, right? Establish an incident command system right in time. And this is very similar to like a fire drilling system or military system, right? This system could scale up or scale down very easily, keeping each member of the team focused on their -- part of the responses, including prior planning to various logistics and messaging that is communication, right? The system has rolled for incident commander, Public Information Officer, Safety Officer, then could include Chief of Planning, Operations, Logistics, Finance and HR. In other words, what you see in the slide, right, it involves cross-functional team members enter the company, right? It creates and then create roles and responsibilities. Determine if third-party help is needed, right? And there is the role of a partner. Lack of skill set, maturity varies from company to company, location to locations, geographically, right? Think about North America, Asia Pacific, EMEA, Latin America, all different, depending on the footprint that you have and what you are trying to manage, right? A trusted global regional partner, global or regional, correct? It depends. It depends on how many sites you have, you might be having 1 or 2 sites versus you might be having 100 sites, Rockwell fit scene, where we evolved, right? So a trusted global partner, right? And again, when I said trusted, you remember the polling questions I had, those are the characteristics of a trusted partner, right? So a trusted partner would ease the part here and they can give you a tailor agreement that could help this incidence response planning. And in case there's an incident then how we are going to respond very quickly. This is available basically in any Google search, if I do about incidence response life cycle, correct? So we are very familiar people who are responsible for IR team, right? That's preparation, identification, containment, eradications, recovery, lessons learned. Preparation, has everybody been trained? right, has everyone participated in a trial run? Has the responses' plan being approved by management? right? So that's a few questions that would be prepared. Identification, when did the event logged? or when did the event happened? has the source and point of entry being discovered? Does it affect operations? Containment, has patches been applied? does remote access require multifactor authentication? has the malware been quarantined? to help prevent further infections, right? And again, quarantine itself just didn't solve the problem, correct? So you've got to check, I don't know, is it cured? what you're seeing there. Eradication, has the malware of virus even securely removed? Has the system been tuned, right? How long will in recovery? how long will you take effective systems to be monitored? how the -- can the system be restored from secure backup? how long will it take the backup to be restored, right? In lessons learned, did this even uncover any weaknesses? Do employees require additional training? what tools or processes will be implemented to help prevent this form of happening again? So it does not happen again, right? So it's continuous learning, improving the posture from the events and solid recording of information, things and disseminating those information across the organizations. And as a result, the posture improves, the resilience improves, over a period of time. Here's a kind of a comprehensive cyber incident response plan and what I just mentioned before, it's kind of packed in a different way, 1, 2, 3, 4. And the step number one is preparation and readiness. It helps in establishing incidence response readiness before an incident. So that basically it's always about plans that most organizations are not prepared, and that could be catastrophic. So preparing and planning, being proactive and having a holistic view, understanding the vulnerabilities and prioritizing vulnerabilities, they are a very important right? And again, this CIS, what they be -- NIST framework helps us with that approach, right? So, IR readiness assessment, established communication plan, review network architecture processes, assets, et cetera, right? And I will be soon giving you an example here. Identify threat, proactively identify a threat within customer environment, identifying counter measures deployment, right? I said, build defensible architecture, right? There are many components of defensible architecture. Segmentations, IDMZ, firewall, antivirus, right? And again, antivirus has different flavors, on-prem, off-site, right, cloud native applications. A lot of things are happening in the OT with technologies and they're evolving. Remember, technology would come and go, what we had 5 years ago, what we have today, what is 5 years on the line, right? But manufacturing companies decides even if you are going to stay. So how we make them all work together to make my digital transformation journey moving forward, right, reducing the complexity that the cybersecurity is posing. Executing penetration testing, risk assessment, tabletop exercises, compromise assessment, right? On the third incidence response and investigations rapidly respond, likely respond to cyber-incidence and reduce time to recover with priority support to the IR professionals, incident response professionals. Basically, I talked about the forensic data, capability to have that record in place, analyzing data, forensic investigations, content, eradicate, and recovery. And finally, post incidence, post incidence is basically more lessons learning, correct. To review the root cause, establish scope of remediating the root cause and is this long-term strategy, long-term strategies, more learning from the incident and then implementing things that was not there before, right? So here is an example, and this is a global food and beverages companies, global sites, we work, there were 80 sites, right? And this journey started quite a back when the customer started, their main function was to improve OEE, right? They're trying to implement a global OEE platform. OEE is basically overall equipment effectiveness, which is a global standard for measuring manufacturing productivity. And OEE score of 100%, it means you are manufacturing only good parts as fast as possible with no stop time. That means 100% quality on equip parts, 100% performance as fast as possible and 100% availability, low stop time. So that's what this company was trying to do for their manufacturing or network infrastructure, okay? During this process, by the way, they were also impacted by 2017 NotPetya cyberattack. Many companies got affected, right? Some of the companies also kind of -- we are now hearing those lawsuits, correct, where these companies were asking the money from the insurers, insurance saying, no, we cannot pay because these are more war like event. And then court of law, deciding that, okay, no, they cannot compare several attacks as war like incidents, right, and people are losing. So things are evolving around those things. The solution that Rockwell did as Rockwell Automation network services engineers performed comprehensive network assessment across 80 customer facilities globally. And remember, the way we coordinate the time that we take, I think we have the best of the ability is within Rockwell, right? Together, we quickly developed our remediation plan to resolve outstanding network issues, catching, help driven further downtime challenges impacted by software applications. Now there was a sense of urgency because they were attacked, right? So as we're in the middle of the project, middle of the project, we had to do things pretty quickly. across 80 facilities, 80 sites globally. So globally we rolled out the network design, implementation, infrastructure, services that finally led to something we called industrial data center, right? Industrial Data center is an offering, it's a virtualized compute infrastructure. It's not just an infrastructure that helps you consolidate your footprint of network and computing infrastructure virtually, but also we manage that infrastructure. Remember, through this OT managed services, we simplify the complexity, right? And make this journey for IT people, we have the time, IT people start this initiative, right, or their OT much more sweeter. So when we have the 24/7/365 remote monitoring administration of these IDCs run by local automations, again, remote support centers, follow the same model. We have more than 16 of the centers around the globe, strategically located, managing and keeping systems up and monitoring whether it's a NOC, whether it's a SOC, IDMZ, firewall, and we have more than 99% of service level agreement. So customers have that. So outcome, in this case, was with new network infrastructure in place, the customer was able to improve OEE to enhance data accuracy and standardized reporting on a global scale. The success included reducing further operating losses by bringing production back online. So that was a bit in terms of how we see things, how we improve, remediate and then take plan. And similarly, there are different issues that could come up that Rockwell is in a position to handle and then effectively. So here is a template, right? And again, I talked about the team, right, and the roles and responsibilities and the team, the maturity, the people, every company has a variation, right? Geographically or depending on the -- what just you are doing, correct? So they are going to assess your ability as yourself, whether you need a coach and what kind of support you need from people like us and Rockwell, with solid domain expertise and solutions around the OT and ICS environment, right? So here is a template that is a specific example of plant-wide operational outage due to malware. This is just one scenario, right? Similar to that has to be -- many, many, there can be many, many scenarios that you can foresee. And if you would not have the maturity, then the partners would help you with the developer and the sites and then able to get those templates created. So you are more ready for the plan when something happens. A responsibility here down, you see IT, IR team, notified business, unit leaders responsible. So different actions are aligned here for this specific incident in case they happen. So an incidence response contract, it offers -- I'm talking about, in case you need a third-party assessing your ability to do it yourself. And I said, IT, many companies have the capability in IT incidence response. But at the moment, when it is comes to OT, there's a bit of gap and there, you need do assess, what do you need and how do you need, right? So here has been a familiarity for yourself, what a retainer contract would do to you, right? It's basically offers you support before and after, and it's a peace of mind. If you do not have the skill sets available within your company, right? Now generally, this retainer agreement is a multiyear agreement, and that people regenerate them when those experts are available to you, right, doing all those works, right, using their forensic capabilities, identifying the root cause, eradicating, remediating, right, and learning lessons. So they are in backup in case something happens. Now there is a possibility that there is an available hours not used, correct? Now those available hours could be used for proactive services like risk assessment, compromise assessment, crown jewel assessment. Crown Jewel assessment, again, I just said that OT assets, right? Too many vulnerabilities, priorities from asset to asset will change. It's not just kind of manage all the vulnerabilities together at the same time, so you kind of cherry pick your items, right assets and then try to do those assessments, right? Cyber training, I guess that people and training, correct, that's very critical part. We ourselves within Rockwell Automation, continuously go through training program. So we know, everybody within Rockwell, how should we behave in terms of different activities, different kinds of cybersecurity. And so that's happening around us, right, the moment we touch our phone or laptop. [indiscernible], I said creating your own playbooks, different incidents, helping you realize them and then make a plan, roles and responsibilities. Then testing, penetration testing, simulated cyber attacks to expose and uncover vulnerabilities and incidence response plan review. Review customers' incidence response plan to assess whether right personal procedures are in place to effectively deal with the threat. So basically, again, maturities, capabilities are different. You may already be having something, you may not be having something, right? So it all depends on where you are today and then how a partner could help you with those appropriate things to be in place for incidence response. Overall, a partner with the Retainer contract helps you to improve your cybersecurity posture, uncovering operational gaps and vulnerabilities to using proactive services, right? So that's what this generic event does, availability of those services, reducing recovery time from an incident. In case something happens, then you have quick response time because there's a team dedicated, you can just activate them, right? Prioritizing, that is guaranteed availability of resources, right? If you are not prepared, you do not have anybody and you are just acting after the incidence, that's to be cleaned, right? And then, of course, availability to those pool of talents that partner community will be having on your behalf to help you handle that challenge. So here is a -- kind of building a business case for cybersecurity investments. So I have talked about, so far the landscape. I have talked about the challenges, the complex infrastructure, maintaining, managing, having a robust plan and then sustaining that journey is a challenge because of complexity, because of shortage of skill sets that you have. From there, we talked about the NIST framework, a go-to-model. We also discussed about a go-to-model would be having an appropriate partner, trusted partner and what would be the characteristics of a partner. We went deeper into the incidence response plan. We went deeper into the incidence response plan, the strategies, right? We said that OT specific plans are a bit different than the IT specific plans and the people that you require, right? So you're going to assess your abilities yourself and the need for a third-party, partner to help you with, all those exercises. Then we talked about our retainer agreement would help you simplify this complexity, right, managing OT cybersecurity risks. Okay. So now I'm more focusing here, the slide is more around building a business case for your bosses, right? So all in all, the trick of submitting a solid business case is to get right data. Align your investment plan with needs, risks and compliance requirements of your business. Also knowing your organizations' needs would make strategic planning simpler and lead to more equitable investments. Things you will want to do include performing an audit, setting the right expectations, formulating ROI, return on investments and determining the right areas for investments. We're on a complete audit, right? We recommend, right, unless I check, for example, for my health, I first need to check my weight, what's my weight. right? And similarly, that would be done for cybersecurity, right? That what's your posture? What's your hygiene today? What are the vulnerabilities on the GAAP? So contract a detailed inspection of your present security posture, this includes recognizing where your sensitive data assets decide, who wants access to it? and more importantly, who has access to it? Many security officers do not realize the risk of possible data loss by reckless, malicious insiders, not all data appear at the same risk level, and no organization should grant special rights to any employee to assess or to access all of their organizational data. Although this can be time-consuming, it is necessary to get a wider view of where your security measures actually stand. Set right expectations from the beginning. Cybersecurity is not a product or a service. Stilling a company from losses is the only way for it to have any financial benefit. It will help if you showed how this could decisively impact your organization's budget while figuring out your business case. The trick is to speak in the language of numbers. For example, if you can explain how $1 investment would stop and even that could cost $10 to the company, you can get the management to vote for your side, to vote on your side, right? So speak the language of numbers. Formulating return on investment ROI, a number of direct savings can be measured based on the size of the company, using the budget elements of labor savings defined by full-time or FTE, full-time equivalent cost savings per year. And the reduction of costs associated with software systems and services to elite cybersecurity management processes. This direct savings may amount to $100,000, $250,000 per annum, for smaller organizations. I'm talking in terms of U.S. dollar, right, USD 100,000 to USD 250,000. The large multi-unit enterprises usually falls within about $200,000 to $300,000, right? That's the general rule, ROI games. Determine the right areas of investments, give your management the data that will determine their investment decisions. If feasible, focus on series of trend factors, trend factors already present, such as restricted inadequate services for employees, training and security awareness, awareness and training, correct. That could be something and that could be limited. I mentioned that we ourselves have huge amount of training, every employee at Rockwell goes through those training programs. So we are much aware. Policies and processes that are consistently recorded and applied, undocumented proposals for untested disaster recovery, company disaster. Company disruption, lack of device backup, patching updates, patching practices. And I mentioned that the OT patching is one of the key vulnerabilities that attack us. They try to leverage, to get in. So formulate a risk and reward equation using a tiered or tiered security approach, you can then begin directing your investment towards detecting, compliance and incidence response. So this was a bit of a incidence response. I'm getting closer to the end of my session. This is my last slide before I give you tips about how do you assess your preparedness. So this is in some are -- no matter where are in terms of your maturity, the people, the company, right, every company is unique. So you could be falling in, in one of those categories, right? Idea is that you could be in a pre-digital plan, leadership has no understanding or awareness. To say awareness, leadership has the awareness that cybersecurity is important but are not prepared to respond, right. To say reactive, that means I'm always responding after something has happened. IT security teams try to resolve cyber incident with the service, process, procedures that is applicable for IT, right? Escalation cost and communication strategy are not well defined. Adaptive, senior leadership, that's where things are getting much better, right? senior leadership invests in and develops minimum resource tools, policies and processes for threat detections and response, right? To purposeful, repeatable, optimized, incident response plan, processes are mature to include automated activities that needs -- that feed into business continuity plans to create a well-defined incidence response structure. To proactive state where global organizations, incident response plan matures to take proactive actions based on threat intelligence and developing threat landscape. Business and IT stakeholders partner, to integrate business risk and business goals that contribute to the corporate strategy. I was more reading the slides that we have, but this all helped you in communicating with your leaders in terms of why you need an investment, to help you build your resiliency or improve your resiliency in a sustainable fashion. So that was the end of my presentations, 10 minutes to go. And here is the tool that I wanted to leave. This is something available in our website as well. It's called cybersecurity preparedness assessment. Once you do the assessment, there are a series of questions that you need to answer, right? And once you answer it, it generates a report. And that report would tell you your -- those measurements, right, those what you asked, right? You see, Identify, Protect, Detect, are you 60%? Are you 30% are you 40%. So this would immediately help you to get an understanding based on the question and answer, right, your preparedness, how prepared you are, and you can use that as a milestone for your next step, right? How do you want to now cover those gaps, how do you want to improve your overall resiliency as long as the NIST Cybersecurity Framework is concerned. So take an assessment, this is the code that you have. You can scan and it's available to you and using this, it's a very good step for you to understand, it's like my health, right, my health, where are the gaps and what should I do? What kind of exercises I should do? what kind of food I eat? et cetera, et cetera. Upcoming webinars, I said it's a part of -- it's an educational series that we are doing. I'm doing the fifth one, the sixth and seventh one, 21st September, 26th September. 21st September, how to restore operations after, that's the recovery part on recover. I did the Respond today, then the recovery part, 21st. And 26th September, how to sell cybersecurity to assist, which we have a dedicated session. I had -- I covered a little bit, but then we have a dedicated season on 26th September, who are interested in having that message from us. Thank you very much. And I think this is now Q&A time for us. So let me go into the Q&A here.

Just give me few minutes. Okay. One of the questions that I see here, what are your key offerings for OT cybersecurity? Okay. I'd love to answer that question. Second question, that is I see, are you agnostic? Yes, the question, we are agnostic. And what are our key offerings? Again, Rockwell Automation, cybersecurity offerings. We follow the NIST Cybersecurity Framework, 360-degree protections. And our way of doing things is assess, design, implement and then finally monitor and manage. So assess, then design, then implement, monitor, manage, correct? And then our offerings around NIST framework, Identify, Protect, Detect, Respond, Recover. I also talked about the controls, the controls, 5 controls, right? And that's defensible architecture, asset visibility vulnerability management, real-time monitoring, securable access, now they are all big targets, right? But we do all, easily with protections, right? Most importantly, I think it position ourselves as more of a reliable trusted partner, doing the journey along with you, who has a tremendous amount of knowledge in OT and ICS environment over 100 years, right? So we bring that on the table. And then we offer implementation services at scale and managing the complexity of the services across the globe with excellent service level agreement. Okay. Another question that I see and this is probably the last question that I have for the session I'll do is this -- what is your business model for your offering? This is a question generally I received many times because people are trying to unfold the software, hardware, services altogether, different people, different players. Again, Rockwell Automation, we offer a platform of -- we have an ecosystem partner, which includes, for example, Cisco, Claroty, Dragos, CrowdStrike, right? Ecosystem partner. And then we have the people. We have the people, and we combine them together. We bring in standards, frameworks, methodologies, right, project management skills, right, and then implement scale. And the question is what's the business model? The business model could be the CapEx, could be OpEx. It could be a combination of CapEx and OpEx. For example, we have an offering, the offering that the used case that I mentioned before was an Infrastructure as a Service. So we can offer those bundled things together, network and compute infrastructure and offer that as an infrastructure and service. We have our own SOC capabilities. We could offer that SOC as a service, right? So many a times, I see it's a combination of our CapEx project piece that we put things together. And then we manage whatever we implemented with the contract or service level agreement. That's the OpEx part of it. When it comes to the software pieces, getting the equations, again, we see on-prem cloud variation. But then again, there are subscriptions. There are ways depending on how you want to ramp up across sites and facilities. So basically, my point is, it's very flexible, and we try to fit-in where you are today in terms of your maturity and trying to figure out what is the best way to create a path forward together. Thank you very much for your time today. With this, I hand it over back to you, [ Jairaj ].

Okay. Thank you very much, Saby. It was a pleasure. And just to wrap this webinar up, thank you very much for attending. And in case your questions were not answered, don't worry. We will do this by e-mail. And with that, we would like to thank you for attending. And in an effort to keep improving and providing topics of value to you. We kindly ask you to participate in our survey. If you'd like to speak to a representative for more information, you can make that request in your post-webinar survey. So please take a moment to fill out them. We look forward to seeing you again. And thank you very much, Saby, for this great presentation, and have a great day to everyone. Bye-bye.