Rockwell Automation, Inc. (ROK) Earnings Call Transcript & Summary

Hello, and thank you for joining this webinar. [Operator Instructions] Today's event will be recorded, and we will be -- and will available right after it's completed. You can access the recording utilizing the same link that you use to access the event. After the webinar, we will also be sending you an e-mail with the resources from today's event, including the slides, handouts and event recording. Additional information regarding today's topic can be found in the handout panel on the webinar platform. With that, I would like to introduce today's speaker, Kamil Karmali.

Good afternoon. Thank you, everybody, for joining today. I'd like to introduce myself. My name is Kamil Karmali, I am the Senior Global Manager for cybersecurity consulting services here at Rockwell Automation. Today, we're going to be taking our next step in the NIST webinar journey to focus on the recovery phase of the NIST Framework. And the topic of the conversation is how to restore operations after a cybersecurity incident. Let me walk you through the agenda for today, and I'll give you the highlights of the topics that we intend to cover. First, we're going to do a debrief and revisit. And for those of you who have been joining our webinar series sequentially, we're going to have a quick overview again of the overall NIST Cybersecurity Framework. Then we're going to talk about one of my main themes for today, which is all about thinking proactively so that we can achieve cyber hygiene before we are faced with a potential cyber incident. So we're going to dive into incident response and recovery. And then we'll spend some time going deeper into the recovery function itself. I then want to take you through a little bit of a journey and thought leadership around recovery and execution. And then we'll talk about building the right business case cannabis to help get leadership teams on board with understanding both investment and the prioritization around why this is so important. We'll finish out today with providing you with a little bit of a summary around what you can expect next in the series. And so that being said, I'd like to begin. The first thing I'd like to do with you as an audience is get a little bit of an understanding with some polling about what implementations or philosophies or strategies that you've put in place today within your organization, whether you're a small or midsized enterprise or a large enterprise, help me to understand and take about 20 to 30 seconds to help get awareness. Those items might be things like tabletop exercises, business continuity plans, and I'll go ahead and read out the results here in just a few minutes. Okay. It looks like we're getting a lot of traction. So I will go ahead and show the results. So it looks like -- and this is great, right, which means -- it tells me that our audience is not starting from scratch and the majority of you have thought through how to be highly proactive or put countermeasures in place to prepare, whether that's tested backups, continuity of operations plans or even building out your own disaster recovery plan, which is going to be a key topic for us later on in the presentation. And I do see a couple of individuals selected all of the above, which means that your cyber hygiene strategy is well thought through. So I'd like to begin revisiting the NIST Framework and provide you with some commentary first on the topic. So the NIST Cybersecurity Framework is what I call a risk-based approach. It's the most widely adopted cybersecurity framework globally, and it's certainly one that we, as Rockwell Automation believe in as we consult with our customers on a day-to-day basis. Originally developed later in 2014, it was a response really to an executive order that was mandated to improve cyber hygiene across critical infrastructure. But since then, it has been voluntarily adopted by many, many industries, all of the vertical industries that we deal with in operational technology and manufacturing around the globe. It consists of 5 core functions, and we'll talk about the revision that was just made in August of this year. So in the 5 core functions of the NIST Framework, you have identify, protect, detect, respond and recover. Within each of those 5 categories, there's over 100 subcategories of control elements and statements that help define best practices that organizations should use when building or revising or revisiting a cybersecurity strategy between IT enterprise and the operational environment, but it was really designed to be vendor-agnostic and scalable based on the size and scale of the organization. It's nonprescriptive which means people can fit proactively at their own pace and certainly start anywhere in the journey. It's not necessarily a checklist to be followed, but there have been several proposed changes over time. The core structure to the NIST Framework has stayed the same. As I mentioned, in August of this year, we added -- NIST added an additional element to the framework, which was governance. I believe this function emphasizes the importance of risk management and governance to drive continuous outcomes. The one thing that I consistently say in the world of cybersecurity operations and OT is that it's highly adaptive, the frequency of attacks that we're seeing are only increasing on a day-to-day basis. And so thinking through governance operations and the way that we build people and teams is very critical. So I was really happy to see that. Many of the categories focus with starting on the identify function, but certainly bringing governance supply-chain and understanding the overall business management strategy is going to be critical to -- for organizations to understand how to manage their cyber hygiene over time. The NIST Framework is also a basis for understanding industry best practices, but it can be combined with global framework. So if you're participating from a global audience, we have the CIC, which is the critical infrastructure center for Australia, certainly, the European Union with their NIS2 directive or in Germany's platform Industry 4.0 are additional equals. We complement the NIST Framework. And certainly, we see a lot of our clients combining both NIST and IEC 62443, which is a more quantitative approach to how organizations develop their overall awareness of their cyber hygiene posture and then can take measures to implement or deploy countermeasures moving forward after that. Let me dive a little bit deeper into understanding the NIST Framework. So as I mentioned, it's a voluntary approach, but we have data points that show us that collectively thousands of security professionals from the C-suite all the way down to plant operators and security personnel within the manufacturing environment see NIST as the best approach to take as a true point. It's widely recognized both in terms of control and ability -- adaptability but showing an organization up against cyberattacks and threats means that each of the security professionals as leaders in the organization. And I'm hoping those or many of you on the call today of the webinar are able to think through the wisdom and balance ideas or even ask for guidance around blind spots you may have, that will enable you to make better organizational decisions for you moving forward. It's a selling point as well across organizations because it provides a common language. And I think that language is equally as important to use as a gold star metric as we're communicating with functions such as HR or finance supply chain, production operations, plant management. I think each of these functions, as I do consulting myself, are able to understand why it's important to start at different phases of the journey and build practices moving on Rockwell Automation a couple of years ago took a very distinct -- made a very distinct decision to align not only our capabilities, but the way that we speak to the market, utilizing the NIST Framework. This offers us the ability to provide capabilities for customers who are looking to start from scratch in the identify stage to understand risk, vulnerability, correlation of those doing risk assessment type of techniques or even deploying initial countermeasures such as segmentation leading into the detect phase. So a lot of the concepts and the way that we build our approach to the market is focused around each of these different categories. I want to spend time now diving into the recovery category because I firmly believe this is about building organizational resilience and part of resilience are having tactical things like a disaster recovery plan. But the main message I want to send to you today is that when hit or if you're thinking about what to do prior to being hit by a cyberattack, we need to be able to respond to operations and production with a sense of confidence. And so when I think about people and teams, the recovery function is all about thinking through communication, containment, eradication and starting up operations in a phased way so that we can provide capabilities and services back to the market based on the nature of your manufacturing operation. Sometimes I'd like to go over proactively that I think that the respond and recover category very much go hand in hand, especially when we're faced with the amount of frequency and sophistication of cyberattacks. So one way that I recommend customers always get ahead of this is to think through proactively what are the essential elements you need, not just in the identified stage to categorize assets or think through countermeasures, but it's also about building an incident response plan so that in the event of an attack, you understand, right, how to get -- how to go about getting root cause analysis forensics containment done in order to restore operations. And so the first phase of that is always to think through preparation and readiness. So developing an incident response plan could mean reviewing processes or network architectures. It could be in establishing an IR readiness baseline. So if you have an IR plan in IT, how do we then translate that into the OT environment. That could lead into the next step of a solid IR plan, which is to really think through how you want to identify the threat are ultimately prevented. And so in the identification stage, we are able to deploy countermeasures or do some sort of assessment activity, which could include penetration testing in the OT environment, doing a tabletop exercise with all the key stakeholders in the organization to understand multiple scenarios that would need to be addressed or conducting comprehensive risk assessment activity based on not just NIST 62443, but it could be a set of multidisciplinary compliance frameworks that allow us to understand vulnerability penetration points and where we need to start in terms of strategy, tactical planning, prioritization and investment. The other aspect of this is considering basic hygiene elements like compromise assessments. If you're an enterprise of 5 to 50 to 250 plants, it's not necessarily linear in the way that we would approach it based on size or even plant maturity. So compromised assessment of what we call the crown jewels assessment would allow us to pick the most important facilities that drive the most productivity or operations or supply chain risk to the organization and then build the plan from there. The third is to really think through the actual incident response and investigation process. So in the event of the cyberattack, understanding how to analyze the data, understanding the methodology around forensics collection, eradication and containment is something that can be done proactively and which is highly recommended. And post incident, once those items are occurred, we want to go through always in an adaptive manner and take a look at root cause analysis reestablish success criteria and understand how do we need to adjust our cybersecurity framework for OT to have a long-term strategy to prevent these issues from happening again. And so I'm hoping -- and I saw a couple of the webinar respondents indicated that they have done this to date. I think they're taking proactive measures around things like tabletop building an IR response plan with some industry-leading partners is the best way to go about it. So I want to get into why you're all here today, which is the recovery category. For me, this is really broken out into 4 distinct elements. This is recovery planning, which is either proactive or reactive. It's root causing containment. It's the ability to develop a comprehensive communication plan and then always looking at continuous improvement along the way. This means that much of the planning needs to occur in terms of documentation to think through cybersecurity attacks before they happen. And so as we begin to discuss recovery planning, the identify function in the beginning of the NIST Framework, that really allows us to start thinking through cyber-physical systems, right, in the OT environment, which is very different than potentially wireless or cloud connectivity, anything in the carpet space within IT. But the response activity needs to be planned out and thought through because these assets need to be identified, whether those assets are people, processes, technology devices or even things sitting offshore or off-site that allow us to really think through what are the type of playbook activities that we need. A typical response plan in terms of recovery planning, just to give you some ideas of what could be included, could be things such as service level agreements. So this would allow an organization to think through how they want to respond internally to their enterprise or even externally to the market or to their supply chain. This is all about information around written communication and documented plans. It's production restoration plans, these SLAs, whether they are minutes or hours can also be augmented if not being able to be provided by your own staff or the workforce that you have today, by what we call an MSSP, a managed service security provider, who can restore operations through network, virtual infrastructure or even a full-blown sock, a security operation center. And they typically use metrics, right, to go through this process, but they can help establish SLAs as part of the recovery procedures to provide maximum allowable downtime, guaranteed bandwidth, prioritizations of assets that need to be patched or restore to get back and running. I think the other aspect of recovery planning is to think through authority. So do we have documented names and points of contact for engagement for staff members who may be active or may be required to participate in the plan. The other element that I believe goes into this are system recovery and procedures. So having the ability to discuss where needed, what the incident response team or recovery team might be doing in terms of application restoration and how that skill set or subject matter expertise is going to need to be very different from the OT environment comparative to the IT environment. I often challenge our customers to think about what I call out-of-band communications. So this is the ability to accommodate with different cross-functional stakeholders, both inside and outside of the organization. But when it comes to the communication plan in itself, I think escalation procedures or the ability to provide information at the right time to people who need to know it in order to handle insurance, legal or even human personnel requirements must be engaged as building out some of these expectations that we can be clear about who we're disclosing the incident to and how we're recovering through that process. One thing I've seen is certainly the OT environment is built with a lot of legacy systems, and so there's existing infrastructure, hardware, software applications that haven't necessarily been thought through in terms of what that recovery needs to look like. And so having a messaging system to key stakeholders on the plant floor in order to think through what data needs to be acquired or recovered from a backup or restoration standpoint in the infrastructure, either proactively or in the event of a cyber incident could ultimately mean a matter of days, weeks or even months to get back to full production. So I think it's super important to think through the trade-offs, right? I think about stakeholders, the production environment, what is needed to be considered because sometimes 99.99% uptime is not necessarily achievable in the event of the cyberattack. So hopefully, that resonates with some of you. I'll move a little bit more into root cause and containment. So we talked primarily about the ability to build an incident response plan proactively. I think it's really important that we understand the nature of the adversary, right? So if I think about the nature of a cybersecurity incident and how we get to the end game, which is to restore operations, equally as important is understanding the nature of the objective. Were they trying to steal intellectual property? Were they trying to take financial data? Was it a breach to achieve stealing intellectual property? Were they going after customer information? Was it simply to disrupt the business operation process for monitory gain? Or in critical infrastructure that impacts so many of us in our daily lives, is it more drastic to even cause human loss of life casualty? And so I think when building response plans, it's important to think about short term and long term is the adversary trying to inflict high-confidence pain, which could trickle into the organization and spread to additional facilities? Or are we trying to do some short-term interaction with the environment in order to prevent production operations and steal things like such as intellectual property. Most targeted attacks for large campaigns are thought out. They're well conceived. They're highly persistent. They're either done through paid adversaries or nation states. But I think the main message here is without root cause determination without understanding the objectives of what the adversary is trying to do in the investigation, the recovery procedure can have a high chance of being inefficient for an organization that could incur additional cost. And those costs could be based on awareness of supply chain inability to access technology, inability to access personnel or just lack of segmentation to be able to communicate with the IT environment in order to make business decisions. And so I would say, since the respond and recover category go hand in hand. There are many scenarios that can be planned for, but a lot of these ransomware attacks or executions of threat systems, may be -- may have an objective to achieve a deadline, which could be months or weeks down the road. And I think it's highly important that we continue to think through containment and eradication and build what we think the success criteria or metrics need to look like for that. Equally as important in the overall strategy is going to be the communication planning in the event of a cyberattack. So having a highly detailed comprehensive communication plan allows you to be effective for numerous reasons. One, I think, the state of communication could be highly impactful, both positive and negative, if there's significant legal or regulatory control that needs to be considered. Understanding from a legal perspective, who should be communicated to when and by whom could take extensive planning. I mean it could take certainly weeks or months. And I believe that, that conversation needs to be had way in advance or thought through, certainly in operational technology. We live in a world where people wear a lot of hats and certainly, if this information were to be leaked or head outside of the organization, including to the media, that leads to then brand reputational damage for a lot of our clients. And so investigation, certainly, you see today in the market have been going on post cyber incidents for years at a time. So I think it's highly important that key stakeholders need to understand what sufficient information is critical. What are their responsibilities for sharing that information? What information needs to be contained within the organization? What planning, testing or ongoing improvement has to be done so that each stakeholder partner, a customer of yours, a supply chain partner is well informed at the right time. And I think that each individual member of the recovery team, which is highly critical should have the sufficient information they need to do their job effectively and in a timely manner, especially if you're reporting out to the Board of Directors or the C-suite. So I think cover time in setting up the KPI, but also having a detailed communication plan will allow you to provide some acceptable workarounds and trade-offs for determining who in advance can be shared information with. How do you report it, how do you go about sharing a communication plan and ultimately, when do you make this public if you make it public. So consider the communication plan equally as important. Then I want to dive into improvements because we often think about cyber incidents as potentially a onetime activity. But I can say with a high degree of confidence that that's certainly not the case, right? I always tell our customers it's not a matter of if, it's when and when will it happen again. So I think improvements for cyber incident recovery require advanced planning, policies, procedures that are reevaluated and lessons learned are documented to be shared with stakeholders so that you're validating them often and benchmarking or testing your recovery capabilities. So whether it's in the form of the tabletop exercise, a cyber simulation exercise, doing a penetration test and determining how you want to address that. If all these things are done proactively, then your recovery concerns, hopefully, won't be as drastic in the moment or in the heat of a cyber incident. And so we highly suggest or recommend to our customers that conducting periodic review of not just the communication strategy, but a periodic review of how you actually respond, pressure testing that in the environment, simulating Red Team versus Blue Team activities. I believe that they should be done mimicking real-world scenarios in order to build the resilience that you need for your organization. Because what you're trying to do ultimately is create muscle memory and identify areas from improvement. One thing that Rockwell Automation is very conscious of and that certainly we see in the workforce is that we have a high turnover of security professionals or we're finding it very difficult to find security professionals that are able to become highly trained and skilled or monitor operations 24/7. And so by running this muscle memory and documenting these plans, doing consistent training, what we're trying to accomplish here is making it a fabric of the organization and try to eliminate as many system failures that are caused by human turnover or workforce turnover that daily operations are much more resilient in the event of a cyberattack. I think the other thing is that recovery team should also be testing and building out realistic scenarios, right? So I think we often think about the worst-case scenario, but there could be additional types of scenarios that we didn't even think about, whether that's an internal threat vector or we lose a member of the team that might be converting over to another organization or it could be learning about what the -- what's happening in the market relative to adversaries that are trying to come across with us with more levels of sophistication. We have to get through those obstacles. We've got to break down the complexity so that our teams feel that they are not only confident, that they have a defense and depth strategy, the recovery team is able to navigate the first step versus the last step and that we have a common best practice that the organization feels is repeatable and can be described to new members of the organization. And certainly, a lot of this is done through ongoing documentation, testing, planning and retraining. So I think adding a realism into this world will proactive increase your ability to not just see where your gaps are in an organization, but they can certainly help you train your talent and be part of the continuous improvement strategy to increase effectiveness in the event that you're recovering from a cybersecurity incident. So I want to take a moment really quickly to just summarize our thoughts at a very high thought leadership level on the recovery category. It's really broken down into 3 levels. Recovery support investigation and analysis through root cause and containment or resilience planning, which is more of a strategic activity that, that organization should take. I think when you think about resilience planning, I can give you a framework or we can talk through a framework of some of the large components, right? So disaster recovery plan is certainly an aspect of resilience planning. But I would venture a guess to say that maintaining business continuity is probably the core objective for anybody in the OT world to keep supply chain product operations up and running, but also to protect sensitive data. So I think thinking through the trade-offs and the prioritization of what's important is highly critical. And when customers are thinking through resilience planning. It's also about minimizing risk and impact for future losses to an organization. So although a cyber incident could take place at 1 of 200 sites or at a crown jewel site by documenting the behavior, having documented incident response capability, training and communicating around what a recovery plan would be, determining whether you need on-site responders or outside source managed services providers to help you restore and develop metrics or KPIs that allows you to be more impactful to present -- to prevent, sorry, issues from happening at a larger scale across the enterprise or more frequently in the future. I would communicate again over and over that having stakeholders with a documented communication strategy, which is both tactical and strategic in nature is highly important. But also don't lose sight of the fact that we have to continuously think through how often we need to review internal processes, how often we have to define roles and abilities for those on our staffs in the IT versus OT world so that we can ultimately ensure that we're providing SLAs for production restoration and supply chain restoration to the market. So I want to shift a little bit to go through one of our final topics of the day, which is about disaster recovery. Disaster recovery planning for me is actually broken down into 2 distinct elements. One is a tactical element and the second is the strategic element. So let's start with the tactical element. I think for a disaster recovery plan to be effective, we have to start with creating and maintaining a core list of peak process technology and a deep awareness of asset inventory that allows an organization stakeholders to achieve this mission, which is cyber resilience and production continuity. There are a lot of critical dependencies that fall into asset categorization, but having a detailed diagram and an map or ability to track asset inventory in real time is only going to help further allow us to restore operations much quicker. I think the second element of the tactical plan is having it documented and maintain categorization of not just vulnerability risk or legacy assets in the facilities, but how important are these plants, devices or assets to the overall prioritization of your recovery efforts. So if you have a more modernized facility that is patchable or we've identified key personnel that are able to restore operations quicker at one facility versus another I think having the associated plans and determining the prioritization of which facilities need to come back up and running in sequence is highly important. And we also find that there are underlying assumptions that we all make regarding core services, trustworthiness of people or just a lack of understanding of the adversaries motivation or their intention to allow you to recover in a periodic fashion. So I think it all be highly tactical in a disaster recovery plan, we have to document the conditions. We have to build the recovery plan. We have to gain consensus around that recovery plan. We have to understand who has the authority to make decisions or augment decisions in the recovery plan and notify personnel with a clean and consistent communication strategy so that we can pick milestones. We understand and we train people on what our recovery goals are, and we have the ability to go execute our recovery efforts. I think the second portion of it, which is equally important to a DR plan is the strategic element. So continuously communicating to our executives, our key stakeholders of the organization, both internally and externally, of what our recovery efforts might look like if we need additional funding or personnel to go execute those activities, thinking through that, proactively is highly important. We tell our clients, right, as of last year, a lot of our research in the market shows us that the average cost of a ransomware incident an OT is now greater than USD 6 million. So if you're thinking about -- and that's a onetime event, right, if you're thinking about what is the cost justification or ROI or investing in resources to get to the recovery stage, I like to think about it as not return on investment, rather, I think about it as cost avoidance, risk appetite and risk tolerance. And so I think by using the NIST Framework, all the way from identify or even starting with governance to get to the recovery phase, you're able to build a sound business case that allows all parties in the organization together to understand where the fall down points might be, whether that's all the way at the recovery category or even if it's in response, we have to be able to identify which assets are most critical and most vulnerable. And do we have the right people and processes and technology in place to provide effective information that we can communicate in the event of the cyberattack. So I hope that was helpful and useful to you. I want to present you with an actual case study for a customer of ours. We have a large global food and beverage customer that was impacted in the inflection point of 2017. And as many of you know, 2017 was a game changer for cybersecurity and operational technology. The introduction of NotPetya to the environment of manufacturing created a lot of consternation, certainly hundreds, if not millions of dollars of incurred expenses and loss productivity for many customers that were hit by NotPetya. And so we actually were able to work with a client who did a number of proactive countermeasures, but also consulted to work with us and select us as a partner to take care of reactive measures. So this customer began their cyber hygiene journey by investing in modernized software, application awareness, driving enterprise productivity. And now as we look at, I think the case study might say 80 facilities, but it's certainly more than 130 facilities around the globe, we were able to think through ways of deploying first segmentation. Putting in proper IDMs into the environment, allowing trained personnel to understand what information should transverse both the worlds of IT and OT and then rebuilding their entire virtual infrastructure. So that we could provide industrial data centers that had a patch management strategy with network operations that allowed us to tap into those operations 24/7. Once the ransomware incident actually hit that environment, the customer was able to very cleanly cut off the supply chain in the IT environment, and they still actually had some orders in the backlog that were translated to production from SAP. So they were able to keep producing, while containing the incident, while Rockwell Automation and a managed services provider were able to come in and do on-site restoration and backups of software and server applications to complete rebuilds in the field. And then ultimately, help train and develop a communication plan and a strategy for our customer. And that's allowed us now to move into the next phase with this customer, which is to do security operations and actually building out a comprehensive incident response plan so that we can look at deeper forensics abilities or actually having IR responders on-site in case of a future attack. And so you'll see many of these examples in the industry today, but certainly, these are examples of where a customer or a partner like Rockwell Automation can certainly help you. I also believe it's important to think through preparedness. And so without going through highly quantitative or quantitative deep dive assessment work, if you still don't know your business or you're confused about your ability to quickly quantify, we've gone ahead and developed a NIST scoring preparedness assessment for our clients globally around the globe. And ultimately, what we can do is provide you with a very clean way of taking an assessment, and this can be done as a single leadership team at a facility or it can be done at multiple facilities if you have multiple stakeholders and you're in a heavy industry like oil and gas, where you've got multiple business units and stakeholders that operate. we find that it not only provides a full customized report for each of the business units within your organization, it allows us to do some industry benchmarking against standards. And so I encourage you, if you're not aware of this, and you haven't seen it yet today, please do take an opportunity, and we'll provide you here with the QR code to go ahead and snap that so you have a link directly to the cyber preparedness investment, which you can take certainly for free and start to build that appetite with your organization around potentially looking at doing deeper assessment services to quantify risk. So let me leave you with -- and I want to certainly thank you for joining today. This was, I believe, the fifth or sixth part in our journey. This is a 7-part webinar series to help drive awareness, education and executive alignment for cybersecurity practices. On September 26, we're going to take a little bit of a deeper dive around communicating and how to sell internally to the C-suite within your organization around OT cybersecurity. And the webinar is not only on demand but will be available afterwards. And so I just want to take an opportunity to thank you for your time today. Thank you for joining us to continue to learn about the NIST Framework and how Rockwell Automation is approaching this in the market. And so I will go ahead now and take a look at some questions that may have come up and go ahead and do some Q&A with the audience.

One of the questions I got was who should we talk to if we need a security operations center. So I think there are a lot of amazing companies in the market. And certainly, we have our own ability to deliver on those services. So Rockwell Automation is one of many companies that can provide true security operations. MSSP capabilities, I think that if you're currently a large organization that has an internal team that is running security operations or you've outsourced that behavior to a SOC today, there are ways that we can help plug into that. And so our approach to the market is to be able to either come in and drop in the infrastructure, people in process to deliver a SOC fully for you or you'll be able to select a partner, whether it's Rockwell or others that can actually operate in a hybrid or complementary model to the SOC investments that you've had today. So I think there are a lot of good options out there as well. I've got another question. Should victims of ransomware pay the ransom and what are the risks in doing so? I think -- so I'll give you my opinion and certainly my opinion is not Rockwell Automation's opinion on this. The way I've heard it told to me from a lot of our advisers in the industry, whether that's security professionals, our own customers or the C-suite, the further you feel the behavior, the further there's going to be investment appetite and nation states who want to continue to try to cause human loss of life, casualty, steel intellectual property or even greater damage. So I think that the question should not just be should we pay the ransom. I think the question should be in a tabletop exercise that we do for -- as an organization, that should be a scenario that we map out. And ultimately, it needs to be a board-level decision. It needs to be finance and human resources and anybody involved with brand equity or marketing or production to really determine for that organization doesn't make sense. And I think you need to correlate that to your overall cyber hygiene as an organization. If you're a lower cybersecurity maturity customer of ours or you're just beginning your journey, paying a ransom might be the best way to help build the business case to go ahead and do the things that you need to do to get secure. I see with larger, more mature organizations that they've made the conscious decision that they're ever going to pay ransom. In fact, what they're going to do is they're going to use that as a test case to build a better recovery plan, a better proactive incident response plan, they might elect to hire cyber insurance companies to take care of it, but they likely might not disclose it. And based on where you are in the world, there might be regulatory requirements for you to disclose that. So that's my answer around that one. Let me look to see if we got any other questions. So will I have the ability to get a copy of these visuals with the commentary? And the answer is absolutely yes. We will be providing you with all the content across the NIST webinar series, not just this one, but I appreciate the ask, so don't worry about that. It does not appear. Let me just check here. Okay. So what do you think -- where do you think is the most important place to start in the NIST Framework? That's one I get a lot. So I always recommend to customers that even you've done the identify stage, go back and do it again, right? So to me, the NIST Framework is exactly that. It's a framework, and it's not a onetime activity. This should be an adaptive behavior where you're constantly determining have I identified enough? Am I monitoring in real time enough? Have I deployed enough countermeasures? Do I have real-time threat detection, right, in place to understand anomalies or intrusions into my environment? Have I stood up network or security operations into the environment? And that leads me into respond and recover. And as we just talked about today, refining that recovery plan, making it a muscle memory, building that cohesion between people and teams having the improvement measures, understanding the communications plan, documenting the disaster recovery plan, that should be a continuous cycle of a leadership practice, but it shouldn't just stop at the leadership level. Security needs to be ingrained as part of the culture for each and every individual in the company. And so I think it's got to be an ongoing thing. I think you have to start where it makes sense, where you can financially afford it. We do see customers that come in and ask us simply to deploy countermeasures as a starting point, and that's totally fine. We have customers that come in and want to do some level of tabletop or risk assessment or penetration test to correlate vulnerabilities and prioritize. I also think that, that's a great starting point as well. So that would be my answer to that question. Okay. I'm going to pause just for another minute here to see if we have any more questions from the audience. Okay. So it looks like that is all for our Q&A session for today. Again, let me thank you on behalf of Rockwell Automation and myself, Kamil Karmali, for joining our series. I hope that you attend our next one on the 26th of September. And please do reach out to us if you need any other assistance in your cybersecurity journey and awareness. Thank you very much.

Hello again, and thank you very much for this great presentation, Kamil. If you -- in case your question was not answered, don't worry, you will get this by e-mail, in case you -- we have received private questions on your behalf. With that, we would like to thank everyone for attending today's webinar. In an effort to keep improving and providing topics of value to you, we kindly ask for your participation in our brief survey. If you'd like to speak to a representative for more information, you can make that request in your post-webinar survey. And we look forward to seeing you at our next event. Thank you, and have a great day. Goodbye.