Intro/Outro (00:03):
Welcome to Supply Chain. Now the voice of global supply chain Supply chain now focuses on the best in the business for our worldwide audience, the people, the technologies, the best practices, and today’s critical issues, the challenges and opportunities. Stay tuned to hear from Those Making Global Business happen right here on supply chain now.
Scott Luton (00:32):
Hey, good morning everybody. Scott Luton and the one and only Kevin L. Jackson with you here on Supply Chain. Now welcome to today’s show, Kevin. How you doing?
Kevin L. Jackson (00:38):
Hey, I’m good. You know, uh, today’s show is gonna be great. We’re gonna talk about cyber security. I love cyber security. Um, and it’s gonna be, we really gonna start helping people get ready for 2023, these business leaders, whereas they, they focus on, uh, what is your, um, resolutions for the new year. What are your five cyber security resolutions or priorities, uh, as a manufacturer in 2023
Scott Luton (01:11):
That is right. And of course, cyber security and one of the biggest topics of our time, whether you’re in global supply chain or, or certainly manufacturing, which is gonna be a big focus here, here today, or global business. So it should be a great episode. Uh, so Kevin, mm-hmm. <affirmative>, we should add that today’s episode is presented by our good friends at Microsoft. We’re gonna be touching on some of the really big things that they’re doing in, in industry. Yeah. Including the world manufacturing a little later on. Absolutely. So, Kevin, are you ready to introduce our guests here today?
Kevin L. Jackson (01:42):
Yes.
Scott Luton (01:44):
Well, I am too. And so, with no further ado, I wanna welcome in our two featured guests, Karen Braxton, vice President with Technician Cybersecurity, llc. Karen, how you doing?
Karen Braxton (01:56):
I’m well, thank you. How are you, Scott and Kevin? Wonderful.
Scott Luton (01:58):
Great to have you.
Karen Braxton (01:59):
Thanks for having And
Scott Luton (02:01):
You bet. And you’re joined by Bruce Spector, chairman of the board with Baltimore Cyber Range llc. Bruce, how you doing?
Bruce Spector (02:09):
Great. Very well. Welcome. Thank you. Thank you for
Scott Luton (02:11):
Having us. You bet. Really enjoyed,
Kevin L. Jackson (02:14):
Appreciate conversation.
Scott Luton (02:15):
Kevin, what were you saying?
Kevin L. Jackson (02:16):
Yeah, I, uh, got an opportunity to visit the, uh, Baltimore Cyber range, uh, a while ago. And they have actually improved since I did, but they were really impressive. Um, I mean, they were so good that the Kingdom of Saudi Arabia asked me to go evaluate them as a benchmark for their national cyber security standards.
Scott Luton (02:40):
Wow. Bruce, that is some high praise, huh?
Bruce Spector (02:44):
It sure is. And, uh, I, I remember that. And, um, the, uh, it’s very, very exciting for us.
Scott Luton (02:52):
Well, we’re gonna learn a lot more about both your organization and techno gen and what Karen’s been up to here momentarily. But hey, Kevin and Karen and Bruce, before we do that, uh, in great tradition we’ve had here at Supply Chain now, uh, and digital Transformers with the award-winning podcast, uh, Kevin has been leading. We like to get to know our guests a little better, and we like to start with this very simple question of where you grew up. Uh, so you gotta give us the goods on your upbringing. And Karen, I wanna start with you. So tell us where, where did you grow
Karen Braxton (03:19):
Up? I grew up in Carroll County, Maryland. Little small town called Westminster. Most people haven’t heard of unless you’re local, um, in the country. <laugh>. Um, and went to, um, schools out there very close to Pennsylvania. Actually. You could go out through our, uh, front yard across the mailbox, and b n pa, couple of steps through the woods.
Scott Luton (03:42):
Really? Yeah.
Karen Braxton (03:44):
Okay. It’s right there on the Mason Dixon.
Scott Luton (03:45):
Okay. So let me ask you this, cuz you know, we love talking food here at Supply chain and Kevin Love talking all the time. Sometimes we get to business. But what is one food dish growing up there in Westminster that’s inseparable from your, your upbringing?
Karen Braxton (04:02):
My macaroni and cheese. My mom is macaroni cheese
Scott Luton (04:05):
<laugh>. Wonderful. And you know, folks, uh, y’all, our listeners didn’t have the, uh, great opportunity to be a part of our pre-show conversation, but as we learned from Karen that Mac and Cheese she just spoke of, she is, she’s legendary in her family now for d uh, uh, cooking that and many other dishes, uh, uh, at holidays and cookouts, you name it. So Karen, thank you for sharing. I appreciate that.
Kevin L. Jackson (04:26):
I’m sure she probably still has, uh, but maybe not. I’m sure she like, put together a huge pot for Thanksgiving. It probably was all gone before No, I did before midnight <laugh>.
Scott Luton (04:39):
All right. No, fair. You can’t make us hungry now. This is not, it’s not fair. Still around midday here in the metro Atlanta area. Um, alright, so Bruce, that’s gonna be tough to talk, but what about you? Where’d you grow up?
Bruce Spector (04:51):
So, I was born in Baltimore. I went to grade school in Baltimore, high school in Baltimore, college of Baltimore. Raised my kids in Baltimore. And as John Mellencamp would say, they’ll probably bury me in
Scott Luton (05:03):
Baltimore, <laugh> <laugh>.
Bruce Spector (05:06):
And there’s only one thing worse than somebody born in Baltimore is somebody that likes being from Baltimore because they praise it. And I gotta tell you, it’s a wonderful city. Yeah. Wonderful.
Scott Luton (05:14):
Well, so let me ask you then, um, you know, Kevin and I are both big sports fans. We’re talking a little sports pre-show sports and food
Kevin L. Jackson (05:22):
About a
Scott Luton (05:22):
Way. And of course, who
Kevin L. Jackson (05:23):
Beat the Falcons this weekend? Who beat the Falcons this weekend? I’m
Scott Luton (05:29):
Just saying, Kevin, that’s a long list. That’s a long list of who beat the Falcons this season. So, you know, commanders <laugh>, yes. Kevin’s, Washington Commanders did, uh, did beat, uh, the Atlanta Falcons. But let’s talk, what, what is your favorite, um, sports team, uh, growing up, Bruce? What was one team or, or a sport? So,
Bruce Spector (05:50):
That’s a great question. And I really don’t wanna show my age <laugh>, right? But I am a Ravens fan through and through. But I used used to root for two teams. I would root for the Ravens or anybody that was playing the Indianapolis Cult <laugh> because the Indianapolis Cults should be the Baltimore Cols. Right. But other than that, uh, I’m a Ravens fan through and through.
Kevin L. Jackson (06:10):
Yeah. When they snuck out the, the city and buses at midnight, the Cols, the Golden.
Karen Braxton (06:14):
Everybody remembers that.
Bruce Spector (06:17):
I remember the, the, uh, may, the Mayflower vans pulled up in the middle of the night when they promised the mayor never Were gonna keep us here. So I, I, I dunno, we’re gonna have, I got a bad feeling towards those guys,
Scott Luton (06:28):
Bruce and Kevin and Karen. We’re gonna have to dedicate a whole series to that story. Cause that’s really a fascinating, uh, saga back in the day. Um, well, hey, Karen and Bruce, I’m so pleased to have you here. Um, Kevin mm-hmm. <affirmative>, um, quick comment from you, uh, you know, west Minister and Baltimore proper. Uh, you know, Kevin, you’re in a greater neck of the woods. Any comments on Karen and Bruce’s upbringing?
Kevin L. Jackson (06:53):
Well, you know, both my parents were born and raised in Baltimore, so my extended family is all around there. And I just, uh, just a little inside, uh, bit of knowledge. Karen is actually my cousin
Bruce Spector (07:07):
<laugh>. Really? Again, so that’s, that’s a prime example. It’s, it’s not Baltimore. It’s small <laugh>. It’s small town. It’s a small, big town. Everybody, everybody else, you know, really. It’s great.
Scott Luton (07:20):
I’m a still
Bruce Spector (07:21):
Perfect example.
Karen Braxton (07:21):
I’m Tim away from Kevin’s dad.
Scott Luton (07:23):
Really? Yeah. Yeah. Well, blessed be the ties that bond, uh, number one. But number two, Kevin, you’ve done this to me twice now. We had a guest, um, uh, uh, a, um, a veteran Avi right. With the Marines. And Kevin was messing around and, and, uh, was calling her, uh, cousin. And I thought that he was just like, messing around. And he, and during the show, he is like, really? Scott? I told you she’s my cousin. She’s my cousin. And we had a nice little moment there. But, uh, anyway, well, uh, again, great to have y’all. Let’s, let’s kind of shift gears here. Mm-hmm. <affirmative>, and let’s talk about you, what you and your organizations are doing. And Karen, I’ll start with you. Tell us about techno gen and what the company does and, and your role.
Karen Braxton (08:06):
Okay. Uh, Tecogen Cyber, we provide cybersecurity services. Um, we also have, uh, lms, uh, part of that part of the company is Tecogen Academy, where we do cyber training. And, um, we’re gonna be actually working with Baltimore Cyber Range, um, next year on a project providing, um, training, incumbent training. Uh, the other part of Tecogen is staffing. We do staff o um, and not just for it. Um, but right now we’re actually even helping out, uh, a college, um, located in Laurel, one of the cyber schools. That’s our partner. And we’re gonna be doing some, um, recruiting for them as well. Uh, techno gen,
Scott Luton (08:46):
But the man is just off the chart. Karen.
Karen Braxton (08:49):
Yeah.
Scott Luton (08:49):
<laugh> for the, for all things technical talent. Right.
Karen Braxton (08:52):
How about that? Um, we’re a wholly own own subsidiary of Tecogen Inc. Tecogen Sideways, um, incepted in 2009. Uh, we are also, um, building out, uh, zero trust model. We’re excited. Um, we’re working with one of our board members, Dr. Ron Martin, um, who’s also affiliated with the university. So we’re partnered with them, um, and gonna be doing some, uh, lab work as well in the cyber facility there. Um, te Newgen also is, um, wow, what, what word do I want to use? Um, <laugh>, let’s just say we’re, we’re gonna be in the EDU space, um, soon, and we’ll be making an announcement, um, on the website about that as well,
Bruce Spector (09:42):
Man.
Karen Braxton (09:42):
But excited.
Scott Luton (09:44):
It, it, I love how you’re touching all sounds like so many different aspects of, of the technology ecosystem. Uh, Kevin, you’re quick comment on techno gen and what Karen and Sharon,
Kevin L. Jackson (09:55):
Well actually, techno gen, uh, and Baltimore cyber are, are really important in the, the cyber security ecosystem of, for the state of Maryland. I’m, I’m sure we’re gonna get into a lot of that, but that’s why they, you know, they seem to be sort of doing everything and the middle of everything is because they’re so important to the ecosystem.
Scott Luton (10:19):
It’s like the, the mayors, the mayors of the <laugh> Cybersecurity Nation. I dunno. Um, alright. So Bruce, um, let’s talk about Baltimore cyber beyond, you know, some of the cool things that Kevin shared on the front end. Tell us about what the organization does and what you do.
Bruce Spector (10:35):
So, uh, Baltimore Cyber, we were, we started, we were a bunch of, uh, electrical engineers and computer scientists from Johns Hopkins and University of Maryland, both Baltimore educational facilities. And, um, we actually accompanied, uh, governor Hogan on his trade mission Israel back in 2016. And it was an economic development mission. And, uh, the Israelis see a lot of cyber threats in that part of the world. They’ve got, you know, the, the hostilities there in the Middle East, but you know, Iran and Syria and, and Jordan and that general vicinity. But what they do is they actually store the threats. They receive, they catalog ’em, they library them, and they create what they call an attack generator. They then take that data and they run it against a simulator network, and they use it as an instructional tool to teach their cyber warriors how to deal with the threats that are, uh, current, uh, current threats.
Bruce Spector (11:30):
So the governor had this idea that, you know, that’s great for cyber warriors, but I’m sure we’re doing good stuff in the United States. But why don’t we take this device, this system, and put it in Baltimore, and let’s do workforce development. There’s over, uh, 25,000 unfilled positions in Maryland that if people were trained properly, they could be walk into positions currently. And then that, that’s an order of magnitude hire. If they, they have government clearances, because the majority of Ryan share the cybersecurity stuff that’s hot right now requires government clearances. So, uh, we put the range in Baltimore and we trained in the last five years, we trained about a thousand people that were not cybersecurity types. And we got about 950 of those full time positions in cyber. And, uh, the reason we were able to do that was, it was a unique training session, but we also formed a consortium of cyber companies that had the requirements. And, uh, they gave us the materials that we needed to, to do the training. They, to us, the threats that we were gonna use to put them on the range. And that’s how we applied it to the, to workforce development.
Scott Luton (12:34):
Man, I love that. Even in this, uh, highly technological and ever evolving innovative world man workforce is where it’s at. So I love that story and that element, uh, Kevin, your quick comment on, uh, what Bruce just shared,
Kevin L. Jackson (12:47):
There’s just a huge shortage of cyber security professionals, um, global, globally, um, not just in Maryland, but in the nationally United States and, and globally. So, um, Baltimore cyber, uh, is, is really, uh, filling a critical niche for our entire society as we transition to the internet of things. I mean, our society is built on the internet and security of our devices, of our network, our computers, our smartphone, uh, this, this is, this is our life, right? So, uh, uh, thank you. Um, thank you for everything you’re doing, Bruce.
Scott Luton (13:30):
Definitely. I appreciate that, Bruce and Karen. And now that we’ve kind level set, we’ve kind of level set with, um, who our guests are, one my favorite parts, and then what they’re doing professionally and the impact they’re making. Uh, and we’re gonna about to get some of their expertise on, again, uh, the top five priorities that manufacturing leaders really need to prepare for when it comes to cyber security for 2023. But before we get there, Kevin, mm-hmm. <affirmative>, uh, I, I, I think you and the research department have been diving into some important market facts. Tell us more, especially when it comes to, you know, Maryland and manufacturing and cyber.
Kevin L. Jackson (14:04):
You know, when you say manufacturing, you, many people probably don’t think Maryland, right? It’s a small state, you know, it’s over overshadowed by it’s, uh, proximity to the, the nation’s capital. But, uh, manufacturers in Maryland account for over, for almost 6% of the total output of the state in employees, about over 4% of the workforce. So you can see, uh, manufacturing is important. In 2019, there was almost 25 billion in manufacturing output, uh, from the state. Uh, the state averages about 110,000 manufacturing employees, and they each make, uh, $91,000 each. So, uh, I’ll take that job. Uh, <laugh>, you know, in Maryland’s economy, um, there’s like $10.3 billion in manufacturing goods that are actually exported in, in 2020. Um, and 3 billion of that goes to, uh, free trade agreement partners. These are countries that have partnered with the United States, um, and it helps create like 13%, 13% of the state’s MP employ employment is from exports.
Kevin L. Jackson (15:43):
Uh, and small businesses comprise 88% of all exporters in Maryland. So this is not about big business, it’s about small business. And those partners, um, and I’m talking about countries like Australia, Bahrain, Canada, Chile, Guatemala, Morocco, Singapore, South Korea, they, they did almost $660 billion in manufactured goods alone. And, and, and I know that we’re gonna be talking a lot about cyber security, but from a cyber security point of view, Maryland ranked number one in the cyber state’s diversity index. Number two in cyber security technology and innovation. It ranks number one in federal obligations. And I’m talking about money for cyber security research and development. And it’s ranked as a top 10 global cyber security hub. And don’t forget the National Security Agency, one of those three letter agencies, the NSA is located in Fort Mead, Maryland, just south of Baltimore, and just north of the nation’s capital in Washington, dc. So if you wanna beat a hub of cybersecurity, Maryland is where it’s at.
Scott Luton (17:13):
<laugh>, I love that. I, I feel like, I feel like I’ve just earned a certification in all things Maryland last 34 minutes. <laugh>. Thank you, Kevin. But Karen
Karen Braxton (17:22):
Facts, Kevin, thank
Scott Luton (17:22):
You. Yeah, it really is. I mean, uh, the mecca in so many different ways of, of cyber and technology and, and with a big ole helping of manufacturing. Karen, from what care, uh, Kevin just shared there, what thought comes to mind?
Karen Braxton (17:36):
Well, like I just said, it was a great, um, facts that he had brought forth, and the numbers are mind boggling. Um, but yes, we are definitely the cyber hub, um, here, which is why we’re gonna be, um, instrumental in helping to train up, um, a lot of the state employees in cyber and the incumbents.
Scott Luton (17:57):
Uh, so well said. And, you know, it’s only gonna get the cyber threat, as y’all know, speaking to the experts here. All three of y’all is only gonna get more complex and more, uh, um, uh, a lot more tax. I mean, every business, regardless if you’re in supply chain or, or else, uh, is gonna be a, uh, big, uh, concern, big priority to tackle. Um, Bruce, what about you, Kevin? Just shared a ton of, of market data, your thought.
Bruce Spector (18:19):
Yeah, so I think Kevin’s obviously got the numbers and he understands the, uh, what we call the cyber security ecosystem in Maryland. Um, one of the things that, uh, strikes me and, uh, some of my colleagues, uh, as not obvious is that when you look at these, um, opportunities and these people that are working not only in, uh, supply side, but in IT and in Maryland, there’s over 800,000 IT employees. Um, people lose sight of the fact that if you have that cybersecurity is an esoteric subset of it, you need to be an expert in IT before you can really attack a cyber issue. It, it’s like being a doctor. You have to be a doctor before you can be a cardiologist. So it’s especially within, and that’s one of the reasons that, uh, there is so much need for cybersecurity training. You need to understand, you know, there’s so many different IT students out there, and there’s so many, there’s so much doing in new technologies and new ways of approaching.
Bruce Spector (19:28):
I mean, look, you take a, uh, uh, an IT system, you take something like a microprocessor, which I’m sure most of your people know, it’s basically the building block of a, of a network or an IT device that offers tremendous automation and tremendous, uh, uh, progress. However, there’s a dark side that I, that microprocessor can be compromised. You can be bad guys can get ahold of it and take over your system. That is the issue with cybersecurity. There are more and more microprocessors going into these things. You know, your things that were never microprocessor based. Uh, your home heating, your thermostat, your car, your tv, I mean, things that you need that you need to live with. You know, some of your, some of your medical delivery systems are all micro pro based. These things are all, uh, very, very, um, uh, uh, susceptible to bad guys hacking in. And if there’s a money profit, it’s, you know, they said it’s, you know, why do you rob banks? Cause it’s where the money is. Yeah. You can find a way if you can find a way to get these systems, you find a way to make money.
Kevin L. Jackson (20:30):
I think the word you evidently,
Scott Luton (20:32):
That’s what
Kevin L. Jackson (20:32):
They say is vulnerability. The vulnerability of all these systems.
Bruce Spector (20:37):
That’s right. What they’re probing and probing and they’re looking
Kevin L. Jackson (20:40):
At Yeah. What doesn’t have a microprocessor in it.
Scott Luton (20:43):
Right. Well, as Bruce was sharing that, Kevin, uh, the first thought, one of the first thoughts come to my mind is that dual side, you know, that, that, uh, uh, both sides of the sword when it comes to, you know, innovative and highly powerful. Yeah. More ever more powerful technology, any bad act, you know, any, any great tools and bad actors’ hands can unfortunately do a lot of damage so that all them will reason to get into some of these priorities we’re gonna be talking about when it comes to cyber. But hey, uh, Kevin and Bruce and Karen, before we get into kind of the, the center plate part of our conversation, I wanna share, I think as, as, uh, four of us spoke about pre-show, you know, Gartner research has once again reported that, uh, CIO’s plan to make cyber security their top investment priority in 2023, beating out spending on things like business intelligence and analytics, and even, sorry, sorry, Kevin <laugh>, even cloud computing platforms, right to my heart.
Scott Luton (21:38):
But, um, uh, as Bruce and Kevin and Karen spoke to pre-show, you know, that’s what they’re saying. We’ll see if the time and the money comes with it. But Leslie Salman, uh, had a great quote, uh, in the Wall Street Journal not too long ago. She’s a global Chief Information Officer for Kellogg, right? Mm-hmm. <affirmative>, she was quoted as saying, if I get a bud, uh, if I get a bud a budget challenge, it doesn’t come out of cyber <laugh>. So we’ll see, uh, in, in a new year. Okay. So with that backdrop, um, let’s dive into some of the cybersecurity priorities. The top five, we’ll call it, uh, cybersecurity priorities for manufacturing leaders as we head into 2023. So Karen, let’s start with you. What are two priorities that manufacturing leaders really should be considering?
Karen Braxton (22:27):
Uh, I believe number one, um, first one should be the manufacturing systems. They need to take a look and have a holistic approach to cyber security, right? They’re not doing that now across the board. And number two, I believe they need to establish and enforce policies and procedures. Um, you know, we got standards, you have compliance, you have regulatory, um, you know, items. So I think once that stuff’s done and it’s done across the board through academia, government, um, they should consider this should be considering. If they’re not,
Kevin L. Jackson (23:03):
You know, I’m really,
Scott Luton (23:04):
So number one,
Kevin L. Jackson (23:05):
I’m really happy that can start off with those two items because, because all too often cyber security has been a bolt on, right? It’s something you do after you finish everything else. Um, and you can’t take a holistic approach unless you think about how cyber security is linked to everything else. And then these organizations, yeah, must put in policies and procedures, but more important in putting in the procedures they have to enforce those procedures. I mean, too much lip service into what we should do.
Scott Luton (23:47):
Yeah. We can’t, no, we enough lip service leadership, right? It’s all about deeds, not words. Yeah.
Karen Braxton (23:53):
Good. Good point, Kevin. A lot of, um, they’re even doing that with, um, some of the smaller, um, subsets in the government where, you know, they’re saying that they’re gonna have their budgets set aside, um, to improve the security measures and do different things for risk assessments and risk management, but it seems like it’s not getting done. Um, the hackers are still getting through <laugh>.
Scott Luton (24:15):
Yeah. Well, so Bruce, uh, with those first two priorities that Karen mentioned, you know, more holistic approach and, and establishing and enforcing, um, your thoughts, Bruce.
Bruce Spector (24:25):
So, yeah, let me, lemme take them sequentially. Let’s talk about holistic. Let’s, let’s explain what holistic really means in the cyber world. Um, in the, from a hundred thousand feet, it’s a lot better to design cyber security systems in from the start than to retrofit. So if you’re gonna put a system in a new network, you should be thinking about how you’re going to address cybersecurity. How are you going to mitigate, how are you gonna detect, how are you gonna remediate? How are you gonna do the things that cyber people need to do to that system? And that starts with making sure your software guys are, uh, aware of the issues, making sure your hardware guys are, making sure your operators are aware, making sure you have plans and systems in place. And it takes a, um, uh, a a unique understanding of your security profile, what you have and what you need.
Bruce Spector (25:21):
And that takes time. And you need to have your systems assess as to what your vulnerabilities are. And that’s what I think we mean by being holistic. And, and I couldn’t agree more with Karen. I think that’s probably, if I were in the supply side right now, that’s the thing I would be most worried about. Uh, but if in 2023 you’re gonna start to see something else, and this talks to the second topic, you’re gonna see the US government get a lot more involved in the regulatory side of cyber because the government’s starting to realize some of the issues. I mean, look at Colonial pipeline. You know, you had gas lines because, uh, you had a, you had a breach in cyber that was completely preventable. Completely preventable. And we’ll talk about that in a little, little while. But if you look at what the government’s gonna do, um, I know Baltimore Cyber currently, we actually, um, uh, provide the proficiency testing for government assessors to assure that the clouds are safe for government data.
Bruce Spector (26:24):
So if you’re an assessor, and you’re gonna determine whether Amazon Web servicers or Microsoft Resort or any of the major cloud systems can hold government data, they have to be assessed by the government to meet certain minimum requirements. These requirements are dictated by NIST and National Institute Standards. So, um, that requirement, um, is just for clouds. Now, that’s relatively small set subset of the IT world. Now there’s this new board that’s come out that, if I were in the supply side, I would wanna know about this. It’s called cmc. It’s a cybersecurity maturation model certification. What cmmc is going to do is by 2025, if you are a US government, d o D contractor making anything, be it, you know, guns, butter, or IT systems, you’re gonna have to be deemed that you know what you’re doing in cyber, where you will not be able to get a government contract.
Bruce Spector (27:23):
Now, if you are an executive in the supply side or supply chain, I think it behooves you to understand what that is, and it’s gonna cost you money, and you’re gonna have to spend some time under getting your staff trained. But it’s something that’s gonna be necessary for you to do business. And if you don’t pay attention to that, it’s gonna be very, very expensive down the road because you’re gonna be frozen out of opportunities that you won’t be able to bid because you’re not gonna be qualified to go after that work. So that’s where I think is a, it’s a very major thing. If I were a on the supply side, I wouldn’t look at that as closely as possible.
Scott Luton (27:54):
Bruce has a great call out now, cmm, CMMC CMS is something, yeah. Um, Allison Giddens, one of our hosts here at Supply Chain now has spoken a lot about and involved in kind of the community that’s proliferating that, um, you know, cause to your point, if you’re making parts for, um, uh, F 22 s for the Air Force, right? Mm-hmm. <affirmative>, we gotta secure the supply chains, right?
Bruce Spector (28:17):
Would you want to back, would you want somebody like, like a rogue nation to get ahold of our nuclear weapons? I mean, of course you don’t. I mean, right? And, and that you have to have some minimum level of standard right now. It’s the law west, right? I mean, there really aren’t many standards that are being enforced. I, I, my my hat’s off to the US government. It’s about time we did something like this. And I think the, the world needs to do more of this internationally because there’s a lot of bad things that can happen with cyber. And we’ve only, we’ve only hit the tip of the iceberg. Yeah, absolutely.
Kevin L. Jackson (28:47):
The tip, and this isn’t like, so Kevin,
Scott Luton (28:49):
Get you way in here before we, we
Kevin L. Jackson (28:51):
Continue, yeah. This isn’t philosophical, right? Um, they built the F 22 and found out after they were building that they were actually Chinese components in it. And I’m sure you’ve heard about Huawei and in fact, that many, uh, of our rural telecommunications infrastructure, uh, use Huawei equipment. And one of the biggest, uh, I guess, concerns is that the equipment has cybersecurity back doors in it, which has led the US federal government to actually fund a, a rip out and replace of all wild way gear, uh, in the United States. And this is because of cyber security concerns.
Bruce Spector (29:42):
And, and that’s, that’s a sophisticated threat. And, and I think that’s a good example of what, you know, regulatory bodies could do to help by making sure these back doors don’t exist. But it’s even more basic than that. And I keep going back to Colonial Pipeline cuz this is not classified and it’s open and there’s data, you know, uh, the bad guys shut down Colonial Pipeline for months. And the reason it was determined that the systems were shut down was because a live set of credentials were available on the dark web. Now that is beyond belief that an organization like Colonial Pipeline could be shut down because somebody bought a, uh, a username and a password and was able to get into the slips and introduce ransomware. That, that, that, and that’s, that, that’s the kind of thing that regulatory regulatory operations like CMC and things along those lines can stop because CNC says, look, you need to make sure that these credentials are controlled. They have conditions that are actually documented in doc in, uh, paperwork that you assign and agree to do. That’s kind of the direction we’re going in. And if I were an executive in the supply site, I would’ve would want to be looking at that very closely.
Scott Luton (30:54):
All right, so let me let jump in here. So a lot of great discussion, and I love the passion and the expertise between all three of y’all. Uh, so Karen laid out the first two priorities, right? The first one being, all new manufacturing systems need to take that holistic approach to cyber. And the number two need to establish and enforce policies and procedures. Bruce, I wanna keep driving with your two priorities as we, as we continue to build out this top five list.
Bruce Spector (31:18):
So, yeah, I think, um, I think that there, and this almost sounds trivial to state, but you need to be aware of the threats that exist in your industry. Um, every organization has a security profile. It’s very unlikely that if you’re making popcorn, that the Russians are gonna be interested in what you’re doing. So you don’t, and so you probably don’t need to get to the level of a, um, uh, you know, of a security profile that you would have if you were handling top secret or classified data. But by the same token, it’s possible that there’s a, uh, you know, if somebody around the corner knows you guys are making money, and maybe if I, if we didn’t let you get to your records, maybe you’ll be giving some of that money. So you wanna make sure you understand how those threats operate. It’s interest.
Bruce Spector (32:09):
An interesting comment for, for our viewers, you know, there’s about 8,500 known cyber threats. Uh, they live in a database, it’s called the Melo database. And, and we know what they are. And somewhere close to 95% of all instances of cyber are repeat defenses. They’re not what we call zero day. Zero day is stuff that’s new. It’s never happened before. Zero day stuff tends to be from nation states. So it’s unlike a small guy is gonna be hit by his a zero zero, um, zero day threat, but it’s very likely that he’ll be hit with something that’s known. So if you know the threats that are out there and you build the defenses to deal with it, and you have a plan to remediate and detect that you’re like, you’re not gonna be, you most likely will not be a victim. So those are the things I would say.
Bruce Spector (33:00):
I I, I think that the, the executives and the people that are running these supply side organizations could really look at what their threats are, what their security profile is, and what, what’s a good tack to address that, that threat. Yeah. So, um, I think the other thing we talked about was an actual plan to detect, mitigate, and remediate. Uh, I, I throw those words out very quickly because cyber people, that’s what we do. We detect, we mitigate and remediate threats at the end of the day that we’re all part of that function. And you as a, a, a business entity or a manufacturing entity or a supply side entity need to have some way of doing that. And it’s not that difficult. Uh, there are professionals out there that can help you. There’s risk assessors, uh, they can do gap analysis. Uh, you should look at that and you should come up with some way to do that. It, it, it’s quite possible. And I’m, I’m pretty sure it’s coming that over the next few years you’re gonna be required to do that, to be in business. So, uh, if you can get a jump start on that, you, you’ll be helping get yourself ready for the future, and you’ll make yourself safer.
Scott Luton (34:11):
All right. So Bruce, uh, you shared really, and of our top five list items, number three and four. Number three, manufacturers need to understand their cyber security profile, current standards and regulatory requirements. And number four, folks, you gotta be aware of the threats that not only exist in your industry, but you also have to have a plan to detect, mitigate, and remediate all cyber threats. Right? Right. So before we get to number five, Kevin mm-hmm. <affirmative>, I wanna get, uh, Karen and you a chance to weigh in. So, Karen, that’s, that is, man, I’ve got, by my count, we’ve got seven full plates of things we’ve gotta do already. Karen, weigh in
Karen Braxton (34:49):
<laugh>, how about that? Yeah. Uh, good, good points. Um, Bruce, and I think too, um, a lot of the manufacturers that are out there, um, you know, we were talking about policy and compliance and um, you know, we have nist, um, that’s there, we have got csa, um, cloud Security Alliance. Um, and Bruce had mentioned about cmm, uh, cmmc, I think two point ohs coming out, um, next year. At any rate, um, overall, yeah, I think if, if the businesses, um, understand their profile, understand their infrastructure and protect it, um, you know, can you imagine if everyone had a sock? Okay. Or we all, uh, you know, implemented, um, zero trust software, um, you know, not allowing anybody in. Bruce was talking about the, um, pipeline, the Columbia, uh, pipeline and, you know, had they had some other type of, um, identity credentials, uh, multi-factored, maybe three or four, um, ways to log in. Um, even if the credentials were found on the dark web, um, you know, possibly they wouldn’t have been hacked, um, because the person wouldn’t have been able to get in if they didn’t have a fingerprint or an iris scan or something like that. So, yeah.
Scott Luton (36:09):
Okay. Thank you. Great. Yeah, definitely good stuff there. Uh, Karen, I’m gonna have to go to the, the source and look up all these acronyms after today’s show. Cause they’re bringing
Karen Braxton (36:18):
It. I know I do that
Scott Luton (36:19):
<laugh>. No, no, no, it’s good. You know, being a veteran and being in supply chain, hey, we love our acronym, so I really appreciate it. Just, just having a little fun <laugh>. Um, okay, so Kevin, yeah, before you get to number five, weigh in on what Bruce really was sharing with, uh, number three and four there.
Kevin L. Jackson (36:35):
Well, one thing Bruce talked about was a cyber security profile. Um, and it, I mean, that’s very important and it’s very critical, but we also have to remember that a lot of this is new. Um, think about social media. How does your organization view social media? Is it a cybersecurity threat? Well, when you think about the fact that TikTok is owned by Chinese and that there are, uh, fears that TikTok is collecting personal information that’s being sent to Beijing, uh, could that be a problem for your company? So it’s not a, it’s not a narrow or esoteric thing, right? Everyone is using social media. How does that fit into your cyber security plans? What is the threat to your organization? How do you remediate the cybersecurity threat from social media?
Scott Luton (37:47):
Yeah, great point there. And, and, uh, just a little play a little play on what Bruce said earlier. Uh, he talked about if you ask bank Kros, why’d you rob the bank? That’s where the money is. <laugh>. Well, you can ask hackers, why’d you take that personal data? Cause that’s where the money is. To your point, Kevin. Yeah, they’ll play this. You can, cause you can, yeah, I’ll get, I’ll, you’ll get some, some bonuses on that IP usage there, Bruce. I’m gonna get miles and miles outta that. Okay. So Kevin, we’re building a very healthy top five list of, of cybersecurity priorities that manufacturing leaders in particular need to take into consideration for 2023. Bring, you’re the home run hitter to bring in number five here.
Kevin L. Jackson (38:25):
Well, and remember focusing on what the company needs to do for itself, how to protect itself, uh, what its own regulations, its own policies. Uh, but these organizations are doing business and they don’t do business alone. They have partners that they work with. They also are selling products and services to customers, uh, and maybe other companies. So from a cyber security point of view, you are operating in an ecosystem also that parallels your business ecosystem. So I think number five is protect your cyber security ecosystem. Know the, the policies and plans of your partners because that is a gateway to your network.
Scott Luton (39:26):
Mm. Well said Kevin. I love that. Protecting that digital ecosystem. Uh, Karen, your thoughts on, on uh, uh, the fifth priority there?
Karen Braxton (39:36):
Very important, very important, Kevin. Um, you know, as we were talking about the ecosystem, um, and you do have to know it. You have to understand it or otherwise you aren’t gonna be able to protect your data, right? So I think, um, businesses and industry as well, um, need to really hone in on that.
Scott Luton (39:57):
Yeah, great point. We need a, we need a, a digital version of Captain Planet for the dig digital ecosystem, perhaps. I dunno, um, <laugh>, Bruce, your thoughts on, on,
Bruce Spector (40:07):
Yeah, I mean, I could not agree more. And, and I think it, it was very astute, Kevin, to point that out. And, and I think a natural derivative of that is that you have phenomenal teamwork between primes and subs and sub subs, and you certainly as a subcontractor, don’t wanna bring you a prime down because you screwed it up on a cyber basis. So I think you’re gonna find that there’s gonna be a lot of, not only having to have that, but you’re gonna, it’s gonna be required by your customer. If you’re a subcontractor and you’ve gotta meet a certain standard to, to meet cyber requirements, he’s not gonna do business with you unless he knows you’re not gonna cause problems. So I think it all works in the same thing.
Scott Luton (40:47):
Well said Bruce. Uh, appreciate that. Uh, and Bruce and Karen, don’t go anywhere. We’re gonna find out, we’re gonna make sure our listeners know how to connect with you both here, uh, as we start to wrap up today’s episode. Now, Kevin, before we do that, uh, of course, today’s episode’s presented in partnership with our friends at Microsoft, who’s been up to some really cool things in the industry here lately, right?
Kevin L. Jackson (41:07):
Right, right. Absolutely. And when you’re talking about manufacturing, um, and technology, there’s like, there’s actually two sides of the house. You have information technology or IT, and operational technology or ot. And historically they’ve never talked to one another <laugh>. They’ve, they’ve stayed on both sides of the house with a big wall between them. Um, and that’s great if you want to get hacked, if you want to get attacked if you’re not interested in protecting your cyber security. And that’s why Microsoft is really focused on strengthening i e and OT security for manufacturer in order to prevent plant downtime. Uh, they now offer agentless IT and OT security monitoring with Azure Defender. Um, this is really tightly integrated with the Sentinel, which is the cloud based security solution that provides SIM or security information in event management and SOAR the security orchestration and automated, uh, response services, uh, in the Azure public Cloud.
Kevin L. Jackson (42:30):
That combination really provides a single solution for alert detection, threat visibility, and proactive hunting and threat response. Uh, and based on the anomaly detection, uh, technology that was acquired via a Cyber X, the solution has been deployed in some of the world’s largest in most diverse industrial environments, including global 2000 firms in manufacturing chemicals and pharmaceutical. It, it secures Greenfield as well as Brown Field as, and proprietary IT and OT devices, including those that may run older versions of Windows, uh, that can’t be easily upgraded. It can also be deployed either on premise or in the cloud. So Microsoft is really doing a lot in this area.
Scott Luton (43:32):
Agreed. Of course, recently they launched, uh, the announce the launch of Microsoft Supply Chain Center. Yes. Which is piloted by some of the most well recognized companies including, uh, Kraft Heines North America, which has been using it, uh, to increase organizational agility amongst other things. So, uh, good stuff there. Thank you for sharing, uh, and big thanks to our friends at Microsoft. Um, okay, so Karen and Bruce, I, I have learned a ton from both of y’all and I’ve really enjoyed, I wish we could publish a pre-show as a podcast <laugh>, and then of course, this whole episode, but we’ll save that for later. Um, Karen, how can folks, you know, connect with you and the team at Techno Gen?
Karen Braxton (44:10):
Well, we have a LinkedIn page. They can reach me on LinkedIn, um, just by searching my name. And we also have a, uh, company page as well on LinkedIn. Um, and the ur we have a website, of course. Um, the academy is, um, there too. There’s a link to that site and it’s www.technogencyber.com, the website.
Scott Luton (44:36):
It’s just that easy. And of course we’ll include those links in the episode page, so our listeners will be just one click away. Uh, Karen Braxton really have enjoyed your perspective here today. Uh, Bruce, how can folks connect with you and the Baltimore Cyber range?
Bruce Spector (44:50):
Nope, and we also, uh, are heavily on LinkedIn. Uh, you can certainly look up me v Spec or the Baltimore Cyber Range page. Uh, and we have a fairly extensive website. It’s www.baltimorecyberrange.com. And, um, most of our programs are available, uh, to, uh, at no cost. Uh, we do it as a public service or a state contractor. So we would love to have, uh, your feedback. We’d love to get you involved and we could get you more information on what we do if you’re interested.
Scott Luton (45:20):
Wonderful. Well, uh, thank you Bruce, and big congrats to both you and care and your respective organizations for the growth and, and all the success you’re having and the difference you’re making, uh, in, in light as we, as we continue going down the road to this, this exciting digital era, warts and all, uh, preparing industry for that. Um, okay, so before we wrap here, Kevin mm-hmm. <affirmative>, speaking of, uh, growth and success, love what you’ve been doing amongst, amongst other things, but especially with Digital Transformers. So Kevin, how can folks, you know, lean into that and, and, and uh, connect with you?
Kevin L. Jackson (45:52):
Well, actually what you can do is listen to our most recent show that was just dropped, uh, yesterday. Uh, and its title is State Government and Cyber Security. Haha. Like we planned it. Uh, I actually had the opportunity to interview, uh, Mr. Tric Mosley Romero, and she’s a director of the Indiana Security Council. So they’re really attacking all of the cyber security concerns for the state of Indiana. I tell you, Indiana and Maryland need to, need to get together. So that’s, uh, how about that? You can download that on, uh, from your favorite podcast, uh, uh, channel, or you can go to Supply chain now in cybersecurity, and you can always check me out on LinkedIn.
Scott Luton (46:46):
That’s right. Uh, you don’t wanna miss that. Uh, three Power Heavy Hitters here. Great discussion here as we’re talking about the five top priorities, especially when it comes to cybersecurity, that manufacturing leaders gotta gotta take into considerations to move into 2023. So big thanks to Karen Braxton, vice President with Techno Gen Cybersecurity. Karen, thanks so much for carving out the time.
Karen Braxton (47:07):
And I wanna thank you Scott and Kevin, and thanks to Microsoft for sponsoring the show.
Scott Luton (47:12):
That’s right. Uh, Bruce Specter, chairman of the board with the Baltimore Cyber Range. Bruce, really enjoyed your perspective as well.
Bruce Spector (47:19):
Thank you for having me and keep up the good work. You guys do a great job.
Scott Luton (47:23):
Thank you so much, Bruce. And we’ll be thinking, hey, hey, small more. I’m gonna steal that from you, Karen, as well. Well, really enjoyed that. That’s
Intro/Outro (47:30):
Not copyright. So
Scott Luton (47:31):
Feel free to use any way you like <laugh>. Okay. Kevin L. Jackson, the one that only hosts Digital Transformers. Thank you, sir, so much, much more. Kevin, always a pleasure. Thank you to knock out these conversations with you. Thank you. Thank you very much, guys. All right, so big thing, sorry, guest. Uh, hey, but listeners, it’s all about d not words. You gotta take action with these ex, these expert insights and perspective, uh, as we get ready for the new year. But hey, regardless, hope you enjoyed the episode as much as I did. Uh, as we sign off here, Scott Luden challenged you. Hey, do good, give forward and be the change that’s needed. With that said, we’ll see you next time, right back here at Apache now. Thanks everybody.
Intro/Outro (48:07):
Thanks for being a part of our supply chain now, community. Check out all of our programming@supplychainnow.com and make sure you subscribe to Supply Chain now, anywhere you listen to podcasts. And follow us on Facebook, LinkedIn, Twitter, and Instagram. See you next time on Supply Chain. Now.
