Key Takeaways from ARC Industry Forum

Recently, I attended the 27th Annual ARC Industry Forum in Orlando, Florida which brought together individuals from all areas and roles of OT, IT, IIoT environments, primarily focused on industrial and energy transformation.

These professionals representing organizations exploring technologies like digital twin, private or public cloud, machine learning, edge computing, IIoT, augmented reality, and many more came together to discuss, contemplate, and strategize about how to enable organizations with improved business processes and methodologies that are blurring and obscuring traditional functional boundaries not only internally but within their third party.

These organizations are looking to shape their teams, grow their skills and capabilities so that they can meet the evolving current and future challenges of digital transformation, evolving cybersecurity, governance, and compliance initiatives, and deal with aging workforces and the loss of the skilled industry veterans, who are retiring or leaving the industry for a myriad of reasons.

So, what does ARC truly mean to me? It means Authentic Relatable Conversations. Having been to a plethora of IT, OT, and business-focused conferences, one of the things that has stuck out to me over time (aside from some of them becoming more like a class reunion) is that many conferences provide quick, brief, amenable interactions but lack the important connection of open meaningful dialogue. Users generally are not willing to get into meaningful conversations about what keeps them up at night and their true concerns. Vendors, on the other hand, go with a focus of targeting high-value executives to the point where the executives flip over their name tags, provide misleading contact information, or refuse to be scanned.

To be clear, we all need each other to truly resolve today’s challenges. We all need to work together and have candid discussions about People, Process and Technology. And we all need an open mind to learn something new.

Now you may find this just lip service or cut-and-paste generalities, but I want to provide a few factual examples of how my acronym of ARC truly got its meaning.

To write this article, in an unbiased way, I spent time walking the floor and engaging with people from all areas of attendees. The thing that struck me was that everyone I walked up to and said “Can I ask you an honest question about the show?” did not shy away from the discussion. Not only did they not shy away from the discussion, but many sought me out later at our booth to learn more about what our company does. These engagements were not brief 5-minute conversations but ones that lasted 15 minutes or longer and generally ended with the individual asking if I could please scan their badge (even after they grabbed my business card) and to make sure I followed up with them for whatever the engagement goal of the interaction was.

Even after the show ended for the day, I spent hours with attendees who just walked up to me and others from my team and sat down for chats about the real challenges and business pressures they are facing and how safety and control of their environments is paramount in any current or future business goals. We used the words People, Process and Technology in meaningful ways.

We discussed things in ‘context’ and the lens that they viewed their challenges in. One attendee stated that his leadership was feeling pressure by a vendor to move their life safety systems to the cloud. I responded with let’s put this in another context that maybe leadership can relate to and gave the example of “How would leadership feel if you moved the airbag deployment sensors on their family vehicle to the cloud?”

In regard to taking feedback from those at the show, one attendee mentioned to me that if this was truly an OT-focused show that before every day began there should be a safety meeting / minute-type announcement. Not only did I fully agree but when I was approached by show staff about how we could improve the show I brought up the individual’s concern and they 110% agreed that next year this needed to be part of every day’s activities.

As for the technology present at the show and speaker/panel sessions, the feedback I got was very positive generally. The session tracks covered a wide range of areas and real challenges, such as the moving to the cloud, changing global regulatory and cybersecurity requirements, renewable energy, legacy infrastructure, isolated environments, and the pressing need to have secure access from anywhere around the globe to truly move at the speed of digital business today (true ‘Digital Transformation’).

Oddly enough the buzzword ’ransomware,’ which seems to be a catalyst for many discussions within the OT space these days, did not come up in any discussions I was engaged in directly with attendees. While it was used in some presentations, it was not a word I heard those working within the space mention. While it is truly a concern they acknowledge, many now realize that just by doing proper defense in depth, change management and aligning to proper security frameworks, it is a risk that can be managed.

In conclusion, my positive takeaways from the show (trying to be the glass half-full optimist) are that hopefully these truly candid and open discussions that were had move past the verbal stage, and we all work together to make them actionable. That we look at the progress being made by groups at the show such as the OPC Foundation which is making huge strides in standardizing interoperability between vendors for the secure and reliable exchange of data in the industrial automation space and in other industries. And lastly, we can all come to an understanding that connecting IT to OT is called interfacing and not integration (based on another long and deep discussion at the show).

Kevin Kumpf

Kevin Kumpf has more than 20 years of IT security and compliance experience, including over 10 years of cybersecurity, governance and critical infrastructure experience working in the energy, medical, manufacturing, transportation and FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for Iberdrola, where he oversaw the security, and regulatory compliance of multiple OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also worked internally and as a vendor/consultant at multiple healthcare and manufacturing entities to mitigate the threats they were under in relation to ransomware, insider threats and malware infestation. Today Kevin works as the Chief OT Strategist at Cyolo.