Key takeaways from #ManuSec USA 2023 Summit: Securing the future of manufacturing

The recently concluded #ManuSec USA 2023 Summit provided the manufacturing sector with a valuable opportunity to tackle the complexities of digitalization and automation, with a strong focus on security. The event delved into various techniques and solutions to combat the growing cyber threats faced by the American manufacturing industry as it continues to adopt technological advancements.

Hosted by QG Media, the #ManuSec USA 2023 Summit provided IT and OT (operational technology) security practitioners a platform to collaborate on strategy planning, share expert knowledge, and gain valuable insights. The event aimed to equip attendees with actionable takeaways to protect the industry. Manufacturers can enhance their cybersecurity posture and safeguard their assets by implementing the insights gained from the conference.

QG Media organizes international B2B events for professionals across IT security, industrial cybersecurity, and the Industrial Internet of Things (IIoT). Its summits are put together in collaboration with industry experts from various sectors, including governments, institutions, academia, vendors, and end-user companies.

Held annually, the #ManuSec USA summit aims to shed light on the evolving cybersecurity landscape within the manufacturing industry and foster collaboration between professionals in the field. The conference provides a fertile platform for attendees to network with senior cybersecurity professionals from various manufacturing sectors, including aerospace and defense, machinery, electrical, food and beverage, automotive, metals, chemical, pharma, and transportation equipment. 

The #ManuSec USA 2023 Summit aimed to help manufacturers improve their cybersecurity and protect their assets from attacks. It emphasized the need for collaboration, policy frameworks, enterprise-wide engagement, and practical steps to enhance manufacturing security. The summit provides a platform for stakeholders to discuss and exchange ideas on dealing with cybersecurity incidents in the manufacturing sector. By working together, stakeholders can build a resilient manufacturing sector in a digital world.

The main themes of this year’s conference revolved around enhancing the resilience of manufacturers’ supply chains, safeguarding vulnerable and unpatched OT systems from exploitation, implementing a zero trust network architecture framework and strategy, mitigating risks associated with cloud migration, fostering a collaborative security culture between IT and OT, and developing specialized security training programs for OT.

Industrial Cyber had the chance to engage with a few participants of the #ManuSec USA 2023 Summit to offer insights into the event’s ambiance. The team interacted with a diverse group of attendees, including C-level executives, cybersecurity specialists, and engineers. The conference served as a hub for various ideas and experiences.

There were high-caliber industry leaders, speakers, and vendors all with the same interest and expertise, Reynaldo Gonzalez, principal cybersecurity architect at Cummins, told Industrial Cyber. “It felt like you are part of a big team all sharing insight and providing support for areas of interest that may be challenges at work or give the confidence that you are heading in the right direction.”

Derek Anderson, manager for OT cybersecurity at Ingevity, described the atmosphere at ManuSec 2023 as extremely engaging with many organic conversations arising outside of presentations with individuals who were generally inquisitive to see where asset owners were in their security journey and how they are tackling common pain points across the industry. “Even asset owners across industries sharing solutions and ideas to unique situations helps get the conversation flowing into alternative resolutions for individuals at the event,” he added.

“The event was very well organized with a mix of manufacturing asset operators from different verticals as well as luminary speakers from government agencies, such as NASA, NSA, ILN, etc.,” Sachin Shah, OT/ICS cyber security architect at Applied Materials, told Industrial Cyber.

Analyzing the importance of specialized events like ManuSec for the industry, Gonzalez said that events such as ManuSec truly help bring a community together across the industry to share what works and what doesn’t. “It is a place to go to network with others, take part in conversations and learn from others. Whether someone is starting out and trying to figure out where to begin or someone is already on a journey, they can identify obstacles to come and how to navigate them,” he added.

“I believe these events are exceedingly beneficial to the natural forward progress of the industry,” Anderson told Industrial Cyber. “It helps individuals get a pulse on how industry peers are postured, what are the challenges they run up against, and what are near and far term initiatives. These events can also help calm the nerves we all have, as we see other companies are experiencing the same issues and near the same maturity as our own organizations.”

Shah observed that industry-focus events, such as ManuSec, are crucial so all parties from OEMs (original equipment manufacturers), cyber solutions providers, and asset operators come under one roof and provide their insights and valuable information.

The executives shed light on the major moments and conversations both on and off the stage at the event.

“There were many great conversations that took place and many lessons learned we can take internally to our teams,” Cummins’ Gonzalez noted. “For example, on stage, we talked about the importance of bridging gaps between IT and OT. It is vital that we have alignment with top leadership and key stakeholders to build trust and communicate on both sides how we need to work together. There will always be challenges involving legacy or process limitations, but if we can understand each other’s pain points, we can arrive at a middle ground to establish security guardrails that still support business operations.”

For off-stage conversations, Gonzalez said that it was beneficial to further understand the intricate details that others go through when identifying risk, how to capture the right metrics, and having the right conversations with key stakeholders to help push security strategies forward. “We gained further insight about understanding who the technology players (i.e. vendors) are in the space for OT security. If we understand the landscape that needs attention in our environment, then we can correlate how different vendors provide their security capabilities for the right set of use cases,” he added.

Anderson mentioned that from his perspective, “After giving my presentation on ‘How to develop an OT Cybersecurity Program,’ there were many conversations on the use of standards to develop an OT-specific security program. Multiple times outside of the presentation rooms I was pulled into hallway discussions on the topic of standards, mostly NIST vs IEC 62443, but also where to get started once a set of controls is chosen.”

He added that two other topics of interest he noticed pop up multiple times were the organizational structure of the security team (from a reporting perspective) and incident response/disaster recovery conversations.

Shah said that “some of the topics that caught my eye are – National Critical Infrastructure priorities and threat agent they are covering to protect US critical infrastructure; maturity amongst industry-specific verticals such as nuclear, automotive, chemical, food, etc; and discussion around risk appetite vs. conformance to industry standard between Purdue, NIST, ISA, etc.”

Covering the main cybersecurity issues in the manufacturing sector that industry experts highlighted at the gathering, Gonzalez said that the main cybersecurity issues impacting the manufacturing sector that stood out to me include, but are not limited to: not having a cohesive security strategy or program to address existing challenges, the challenge around IT and OT working together, third-party risk mitigation, and reducing risk while aligning it to an effective security strategy.

“The key themes I noticed were a focus on lack of visibility and lack of segmentation, I would say vulnerability management was a distant third,” according to Ingevity’s Anderson. “While the presentations of these topics were generally from a solution provider, I would say these are common areas of need in the industry. The challenge for the asset owner is sifting through the dozens of choices from pure OT-specific vendors to IT vendors who have dipped their toes into the OT waters. Each has their own merit, and areas in which they shine.”

Shah said that the “theme revolved around asset visibility, risk, threat, and vulnerability management, real-time threat detection.”

The executives provided lessons that the manufacturing sector could draw from the event, and what issues the industry needed to tackle before ManuSec USA 2024.

“The event was great but could use a little more organizing with physically displaying which topics were held in each of the tracks,” Gonzalez observed. “For example, a digital online/mobile agenda is great to reference and have access to, but since the topics were back-to-back, there was little time to identify which track was next or would be of interest. It would be helpful to display the ‘topics of the day’ per track at each of the entrances. The digital agenda helps, but I would have found it easier to see something physical near the track entrances since I wasn’t always checking my phone.”

Anderson mentioned that at ManuSec 23 and various other events, numerous knowledgeable people engage in in-depth discussions about highly technical controls and present compelling case studies on intriguing subjects. “Based on my many conversations at the event, I believe there are a lot of companies at the beginning of their security journey, as such, they need to focus on understanding their gaps, closing the ground on lack of documentation, all the basics that are not so glamorous, before looking at the plethora of tools and trying to take on extremely detailed technical controls,” he added.

Shah highlighted “bridging the skills gap, training and converging edge architecture including IT/OT convergence.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.