Gordon Twilegar, VP of Global Information Services at PAC Worldwide

For over seven years, he has led the digital transformation at PAC Worldwide as the VP of Global Information Services & Technology, driving innovation through machine learning and generative AI to enhance business processes, product marketing, and revenue streams. He specializes in aligning technology initiatives with company goals while building high-performing teams and providing strategic advice across IT and manufacturing sectors.

LinkedIn

Company Website

Nikhil: Cyber threats are big and increasing in manufacturing. For the last three years, manufacturing has been one of the top three industries when it comes to cyber threats. Today on the Growth Unplugged podcast, we are going to be covering and having conversations around cybersecurity in manufacturing.

With me, I have Gordon Twilegar, who is the Vice President of Global Information Services at PAC Worldwide. Welcome, Gordon. 

Gordon: Thank you. 

Nikhil: Good to have you. 

Gordon: Good to be here. 

Nikhil: You have a good background on the cyber security side off software when it comes to antivirus software. But today you do so much in manufacturing. So tell us a little bit about that. 

Gordon: Some time ago I was working for a software company that built in the early days various antivirus tools. And at that point, antivirus tools were really not enterprise worthy. And so we scaled that out, and we deployed it to one of the largest software companies in the world.

And we learned a lot. And I was part of the architecture of that product. Helping to design the scalability of that product. And later in life I was either on the vendor side, manufacturing software. Now I'm in a manufacturing company that manufactures flexible packaging products.

Nikhil: Gordon, if you take a few steps back, almost everybody has this picture in the mind that when it comes to cyber security, have an antivirus software in your system, and that's about it. It takes care of you. But I think on the manufacturing side there's a lot more to it. So could you break down that when you just take cyber security as a whole area, what are all the different aspects or areas in manufacturing where cybersecurity has an influence?

Gordon: Cybersecurity is really is a lot about hygiene. If you think of it that way. You have to nurture your entire environment to ensure that not only do you have the tools in place to detect and respond and remediate. You also need to have very well thought out processes and best practices in place and exercise the practice of eradicating a potential threat and it needs to be in a certain cadence.

So it takes buy in across the entire management organization or the team within really everyone has to come to the table to ensure that they understand what cyber security is, they understand their role and maintaining the hygiene, the health of the organization.

They need to also understand in manufacturing, their respective sites, who owns what function, what role. And how they play a part. So everyone has a hand in ensuring the health of the company when it comes to cyber security. 

Nikhil: So it's just not the IT department that has to take care of it. 

Gordon: Everyone's involved. There's just no way around it. And it's super important that IT leaders are educating their senior level leaders, the mid level leaders to ensure that everyone is at the table and has a complete clear understanding of their strategy around cybersecurity. 

Nikhil: So, when we use today cloud based systems, etc some of the cyber attacks that we've seen is pretty much that our cloud environments just get locked. Or there's a ransomware. It just gets locked out, and most of the time the problem we've seen is that it's our people who clicked on something that they shouldn't have. Yeah. Is that about it, or when it comes to manufacturing there's much more  than that? 

Gordon: There's all kinds of avenues, for a bad actor to breach the perimeter of your business. One of the easiest ways is to basically fish somebody. That's the term that's often used. And tricking someone into clicking a document signature, an invoice, look at this invoice. Oftentimes the email originates from the CEO or the President or the CFO or someone in VP of Finance or something of that with credibility.

So you don't think to not click on that link or that PDF document, which has something embedded in it. That's a real hot one. But that doesn't mean they can't come in another way. We saw Target when they were impacted. There was a supply chain insertion, which means that somewhere way up the stream, somebody  inserted some malicious code that gave them unauthorized access.

It could be someone buying a piece of equipment and you installing that equipment into your facility or into your retail store or whatever. And at some point, it will activate and provide unauthorized access to systems and potentially scrape data, credit cards this is also common on commerce sites where they just sit there and collect all the credit card data.

And again, it's about hygiene. Without the hygiene, without making sure all these systems are updated, all the vulnerabilities are addressed. As long as you're keeping that current and you have a frequency that makes sense then maybe you're a step ahead. There's no guarantees. So you have to have other forms of coverage, how to protect yourself. 

Nikhil: In manufacturing, when I see, I think you have a lot of enterprise applications. You have everybody's computers. But you also have machines. You have probably warehouse systems. There are just too many other things that we don't know about.

Could you talk about what are the other things other than just a laptop or a computer in a manufacturing facility that needs to be protected?

Gordon: It comes down to you'll hear this term potentially, and particularly in manufacturing, Operational or Operations Technology. Some people say Operational Technology.

But basically these are the I'll call them almost black boxes that connect to machines for us to extract metrics out of it, extract data to initiate flows, workflows, to initiate automation, for packaging automation or other kinds of automation, materials flow automation through the manufacturing environment in total.

That takes a lot of technology, operational technology, OT to make all that happen. And it also requires that things be interconnected and integrated. And generally, they're plugged directly into your general network. It's very flat, which means these things can communicate to each other.

And if any one item that's plugged in has a vulnerability and it's exposed and taken advantage of by an unauthorized actor, inside or out then they could potentially have access to a lot more and cause safety issues. You can actually create a major safety issue if you have control of a machine that could potentially injure somebody, right?

You would have a potential revenue issue if they decided to shut down that machine. Which they could potentially. This kind of technology, you'll hear initiatives industry 4.0, that means internet of things, connectivity for these machines, right? And that is actually created more security risks only because although it's a great idea, you can't do it without also making sure security is a priority.

Nikhil: Understood. Just to give an analogy, what he's saying is that if I went to a coffee store and there were cameras watching, the camera would be more an analogy to an OT system. Or an operational technology is the hardware, basically.

And maybe the backend software, which is watching all the cameras, recording it. That's more of the IT systems in manufacturing. It could be a good way to say that. 

Gordon: Yeah it's a blurry line, really. If I have cameras in my manufacturing floor, then that could be considered OT. Even though IT might own or have the responsibility of making sure that's deployed and operating properly. I would look at a cash register in a coffee shop. That would be OT. The machine that makes, the Americano or Espresso or Latte or Mocha. That's a piece of operational technology, particularly if it's plugged into a network.

Wow. That's a mandatory scenario if I'm worried about security vulnerability, right? Yeah, definitely. Those things are potentially connected, right? You have printers that connect to the point of sale system. And manufacturing plant, a little different. There's actually piece of equipment moving on by the command of central processing unit. Just basically a PLC a programmable logic controller. And there are many PLCs. These little controllers throughout these machines that control all kinds of things. Flows, equipment, process, speed, motors, fluids, you name it.

And it's super important for people to be able to collect data from those, particularly if they want to do any kind of, machine learning processing, and things like that. So that's, really the definition of OT, right? Any of those items that facilitate the manufacturing process.

And then whether or not we need to be super concerned from a security perspective, at least cyber security's perspective is it plugged in to a network? I will say that most PLCs have their own private network. Whether it's a standard network, as we know plugging into the wall or a modem or, a router may not be identical, but can be, right?

We do have routers and network switches and network gear and all those kinds of things. And in a manufacturing environment the word firewall, most people kind of know what that is. They may not know how it works. But firewalls in the manufacturing environment is quite common, or becoming more common.

It's the number one need out there to protect and put a moat around these pieces of equipment so that somebody couldn't navigate from the outside into that piece of equipment causing a serious safety hazard. 

Nikhil: So Gordon, we'd not heard about cybersecurity issues until a few years ago in manufacturing. With this understanding that you gave about what are all the different things that need to be protected in manufacturing. Why is the threat level so high and what's going on that people want to basically attack manufacturing companies?

Gordon: It comes down to dollars. If you interrupt manufacturing, you interrupt the ability of that company to deliver a product. Which interrupts their revenue cycle. Which interrupts supply chains. Which interrupts the health and well being of a company and its ability to employ people and a workforce. So that's why it's a target. Because if that company is an ongoing healthy company, then that means they have revenue, and that means the number one thing you could do is, as a bad actor, is hold a ransom against that.

So basically what they do is they come in and once they've gained access, then they'll encrypt all the data everywhere they possibly can, and then ask for a ransom. Which, right now, I think the average ransom is about 1.2, 1.4 million, in that range and most people pay it, about 60 percent of the people the companies pay it.

Nikhil: Is it possible that apart from money, many times it's the data itself it's hard for somebody to think that, what data or what IP the factory would have actually? Usually, if I look at an iPhone, the design of the phone is where the IP is. Can you talk a little bit more from that standpoint. What is it about the IP that, one has to protect? And that's where it's not only about the money, but it's also about IP or something else that, the factory is responsible for. Is there anything like that? 

Gordon: It happens. We all know that IP is exfiltrated, and sent to black markets and to competing countries. It does happen, but, ransomware is more profitable.

And it's instant and depends on who's on the other side of that action, right? Is it a political action? Is it a state sponsored action to gain a technological advantage? Or is it just information? There could be a zillion different motivations but the easy one is ransomware, right?

Or holding the data ransom. If you shut down the manufacturing plant, you're interrupting a supply chain somewhere. Yeah. We have to assume that that's more likely than some of the other things that are going on. Those still happen. It's just that what's visible and what we hear about every day and where it has the broadest supply chain interruption capability is a ransomware event where everything's encrypted and everything's at a halt.

I know personally of some companies in the area that have been hit with that and were completely shut down for three to four months. Wow. So four months of no shipments, four months of no work being done except for, potentially on paper. Yeah. So whatever the backup systems they have, which is also part of cybersecurity, if  this goes down or you have a good continuity, a business continuity plan, if this area of the business goes down.

How do we fall back to paper? How do we fall back to a different system? How do we recover? And it all comes down to, the people that don't pay the ransom are the folks that are depending on their backup systems to successfully recover all the data in the unencrypted form. That assumes that the bad actor decided not to go after the backups as well. And that does happen more than some would like. 

Nikhil: Understood. Very interesting. 

How are there protections available for manufacturers I'm sure simple things could be done, right? Whether you're sitting here in Seattle. You don't want anybody to access it outside of Seattle. Those kind of methodologies, do they really prevent all the bad actors? 

Gordon: They give you a much better sense of certainty. If somebody puts all their resources on you, they probably would get through. A lot of it's about, Being able to make it more difficult so the more sophisticated person would want to do it, right?

Sometimes there are triggers somebody used a home password on their work password, their home password was compromised and showed up in the dark web and maybe there's some data that correlates that to a user that's working and they just test things.

They're constantly testing scenarios and looking for openings and wherever they find the opening is where they probably go first, right? Easy things. Number one, get everyone on the same page. Educate everyone on how not to automatically click something that's suspicious. Education is a mandatory requirement for cyber insurance.

So you have to have some frequent education around What to look for. You have to have a team that's on top of it looking for potential threats, blocking bad emails. But once you get everyone on the same page and create a strategy, communicate that strategy and, provide the roles and responsibilities to the people that are supposed to do their part and ensuring the everyone is safe.

Then you can start doing some basics, probably going to have to take a layered approach. You're not going to have one solution that takes care of you. You're probably going to need multiple series of firewalls. The outside and even firewalls on the inside, right?

Yeah. Particularly around operational technology. You need to isolate those things off of the network.

Nikhil: So simple question, on the other side, when we talk about people attacking, is it a person? Is it bots? Is it algorithms? Who is it? 

Gordon: It's usually a group of revenue motivated individuals and it might be some state sponsored groups that are more about causing havoc for a particular region. It's a collection of folks, generally not, an official collection unless it's state sponsored. But, definitely, there's a lot less bots or something of that nature, there's a person behind it right?

It's just trying to compress the amount of work you have to do to find an opportunity. That's all they're doing. So bots might just be tools, but ultimately it's a human.

Ultimately, yeah. Okay. Somebody has to write the ransom note. Sure.

Nikhil: You spoke a lot about OT and IT. So cybersecurity really has to be looked at it from a different aspect for OT and different for IT? 

Gordon: I think you need to look at, particularly IT and OT, it's very similar. It's just, different environments you're trying to protect, right?

IT lives throughout the entire organization and OT lives in a very operational, scenario. It's manufacturing, warehousing, any kind of 3PL shipping carriers, the list goes on. You have to make sure the whole chain is protected. One big thing most people overlook is making sure that the company you do business with is taking steps to ensure that their cyber security hygiene is actively being nurtured.

 , For example, if we want to onboard a new vendor, you need to ensure that, they have taken steps to put their moat around their business and their operations. You want to make sure that they have some policies and some ability to fend off an attack. You want to make sure that they have some kind of security Operations Center, SOC being able to monitor, detect and eradicate the the bad actors or, code that may be floating around in your system.

 So a lot of strategies out there. Key thing is to follow, at least in the US, NIST. National Institute of Standards. They do have a paper on security for OT, operational technology. You have to read that to really understand

what layers of protection you really need to put into place and cyber analysts get consultants. There's some great software out there with good consultants as well. 

Nikhil: So I want to take a segue here where we talk about what manufacturing leaders should be doing in this space. But before that I just wanted to jump in a little and I ask about you. You talk so passionately about this subject and you've been in this basically for so long.

 What's been your motivation, factor, Etc about this industry. I can see that when you talk, and I ask this because, many times it comes across boring. It is necessary, but it comes across as boring, so if you could shed some light there.

Gordon: You just need to keep it simple when you're working with different stakeholders in your organization, and it really comes down to tolerance. Okay. And when you ask the question, how tolerant are you to a one week shutdown? Revenue wise, business wise, brand capital, or brand equity, reputation basically, customer goodwill.

How tolerant are you to one day, one week, two weeks, one month, three months, and then the passion will arrive.

So connected to where it matters, it's usually around the money. It's about livelihoods. It's about jobs, families. Absolutely. You just look at, Now you got me thinking. Yeah. Yeah. Most people don't realize that, it's just another cyber attack.

Let's look at what happened with cloud strike. It wasn't a cyber attack, but it's exactly how one might occur. How many flights were canceled? How many vacations were ruined? How much passion was found in those conversations? A lot. Yeah. Even though that was just a testing problem and it's happened before to some of the same people that are behind it.

You just have to be very careful. And the advice I have to IT leaders is you might be getting, these updates. And with SaaS it's really easy to be forced to take an update. In fact, you don't have a choice in many cases. But if that code. The SaaS service has an agent or a piece of code that goes on your actual equipment or goes into a virtual machine or a desktop that's hosted in the cloud.

You should do canary testing before. 

What is canary testing? In. Days of mining, you always brought a canary bird in a cage with you just in case there was a poisonous gas in the mine and if the canary kind of fell over in this cage, you need to evacuate immediately. So that's where it comes from.

 But canary testing is, hey we're going to deploy this in a very tight knit group, like maybe a small group, a department within an IT group or, key people that are willing to test this so called generally available or completely tested code from the vendor, right?

If you go on blind faith that code is working and everything's perfect and you can let it roll out, you have a cloud strike, right? Now what if, and this is only a what if, this is not what happened a bad actor got his hands on some of that code at a SaaS provider, could be even a security provider, it has happened, and they've injected some bad code and then that was pushed out by the SaaS and then now it's in every single machine.

Now they have control. And they could be there for years before they decide to activate that, assuming someone doesn't discover it first, right? And even though it wasn't a cyber event, it sure felt like one, but that is the perfect vector, we call it, vector to get upstream supply chain insertion.

And come into your OT, your desktops, your servers, your cloud, doesn't really matter. Or everything that impacts our lives. Which is why it's so important to have a backup that's immutable, that cannot be changed by a bad actor. Yeah. To have the backup that has good data. Because if you don't test that periodically, you wouldn't know it.

Yeah, he may back up garbage and then restore garbage. It's probably one of the key tenets. If you don't have backups, then, and you pay the ransomware, you pay them off. You say, unlock my stuff. It could take you months to unlock it because now you have to unlock it one piece at a time with some key.

Maybe there are new tools out there that will do it in mass, but I haven't heard any myself. 

Nikhil: Take us a little bit into the past right click. Was it the same 20 years ago? What is the difference between how it was 20 years ago versus how it is now? Is it just too much? Or was there a fundamental difference? 

Gordon: In the past you would lose an individual computer. You didn't have really cloud per say, If we go way back you might have managed service providers, ISPs, they might be impacted. You still might have the same thing that would happen with the airline because they would have, 800 servers somewhere in a server farm.

And it could happen, you didn't have a SaaS provider that forced you to take that update so quickly, right? And so updates were coming far and few between, meaning, once a week, once a month, but now updates are happening every day.

All you have to do is look at your phone, doesn't matter whether it's an Android or Apple. Which is the prominent two, right? And look how many new updates have come in on your applications. And then look at the note, it says, we're just squashing bugs and making it safer from a security perspective.

There's really not that many new features that are coming. Correct. But it does come out and every time someone issues a vulnerability notice, right? That's the CVE. Everyone has to go check to make sure their source code, or their code, or their application isn't impacted by that, and if it is, what do they have to do?

They have to update it. I can update my phone, and it might have a hundred updates. I wake up in the morning, there's forty more. I wait through the afternoon, there's forty more. Apple or someone else releases a new operating system. Oh, now I've got, another hundred. I've got to update more apps.

Why? Because there's compatibility issues and you have to keep it secure. Enormous amount of money being spent just in this area. All right. 

Nikhil: There's so much digital transformation happening so many challenges. Cyber security is a big subject. And a lot of manufacturing leaders that at least I come across they all actually come from the domain.

And then they have either gone into the IT space, because they understand the business side very well or they would come from systems engineering standpoint or system administration standpoint. They understand network, servers, setup, but cyber security is always one small subject as part that, it's okay to know a little, but not anymore.

So what would you advise right now to manufacturing leaders who are either starting off their journey? Or doing a little bit people who already have got a few ransom attacks. They're, I think, probably much better off. Maybe. It's a question mark. But I'm asking more from the people who are starting off.

What are some of the mistakes they could avoid by learning from your experience? 

Gordon: I think they just have to have the courage to speak up and make sure that if they can't get it across to the board and the senior leadership that they bring in someone that can, even if it's temporary or a consultant or you need to educate everyone around you.

Is there a reason behind that why someone would not have the courage to do this? 

Because there's probably more pressure to complete and execute other projects. Okay. It's really mindshare. And our problem is security is the thing that no one wants to worry about, but they have to.

Now they need to want it in order to stay safe. Educate yourself. 

Nikhil: So what he's saying is rather than reactive, we have to build a proactive mindset. It's inevitable. 

Gordon: Yeah. You have no choice, right? 

It's, before you go to work or before you go to sleep, you generally want to make sure you have fuel in your vehicle, whether that be electricity or would that be gasoline or diesel?

Yeah. You need to make sure that it's there. Otherwise. You're in trouble. 

My wife says just check all the doors are locked before we go to sleep. It's a very proactive thing and I think that fits as a good analogy here. Interesting

Nikhil: Let's talk about those who have been doing, like you've already been basically on that journey.

You also have a deep background on the cyber security side. What are some of the challenges that in this area where you feel that there's nothing that you see, it should be done, but you don't see basically a great way of doing it. I wish we could solve this. What would that look like?

If you're already on a digital transformation journey, you're already doing, let's say you had machines. You've already now started collecting more data, etc. So you're already on a path where you're not isolated from the threat. You can easily have an ecosystem, especially in the context of manufacturing when we're talking, you could easily have an ecosystem where you just had people working, and the cyber threat would be minimum because now you don't have anything to attack to because there's humans in the factory floor.

But fast forward now you have a combination of humans, machines, everybody, and you already are starting to collect data, and there's a lot of data that is being collected, so you're already in a much more matured state than what you were previously. Thus, what are the challenges for that kind of maturity from a cybersecurity standpoint?

Gordon: Before we hit the challenges, I would just say that the ability to execute your say, prospect to cash process Your ability to pay your people, your ability to purchase raw materials or services, and to procure those and to pay is what you're protecting. Are you protecting the data? Are you protecting from a virus? Are you protecting from malware?

Are you protecting, no, you're protecting, this is the asset. The enterprise value of the company, its ability to maintain and create jobs, its ability to deliver goods and services, and if any of these things are interrupted that's where you start, what's our tolerance and go back.

If you're embarking on a new ERP, for example or other planning tools or whatever solution we're talking about, security has to be at the table. If you've, a lot of times people will prototype and prototype and test and do user acceptance and get through all kinds of stuff and say security later.

It's really hard to catch up now with the level of security you need. You really need to plan ahead. It was easy before. You have access to this module or you don't. There's authentication, there's VPNs, there's a thing called  Zero Trust. Security's evolved and in order to protect the things that you care about, you better make sure that you have many layers of protection and many sensors to detect that someone is at the front door. Otherwise, it's too late. The doorbell cameras are a good example. If somebody's standing there, plotting or doing whatever they're going to do, you wouldn't know it if that sensor on the door was not there. If that gives you that critical extra time, the button down the system, right? If I know that I've had a breach on the outer skirts or the front fence, right? Or in a particular satellite office, I can take preventative measures to isolate that until we can remediate, eradicate and bring things back to normal.

So gotta have security at the table. If you haven't done it yet, do it. It's never too late until it is. So it's not a tomorrow thing anymore. 

Nikhil: So from an org structure standpoint in a manufacturing company, where does it's my understanding that cybersecurity always sits with IT. But as you grow larger, and as you said at the start of the podcast, that it's everybody's responsibility.

So can you talk a little bit on the org structure side, do you see anything that needs to be done differently to address cyber security?

Gordon: They need to be formalized. A lot of times, a system administrator or someone who has subject expertise doesn't generally have the time or the will or the desire to lock down the system, right?

Not always. Some of them do a role. You know, cyber security should remain in the IT organization because they have the most access and the responsibility to ensure the security of the system. So I don't see that changing. Everyone should try to budget for a cyber analyst or two or three, whatever your percentage of sales will allow on your IT spend.

Security is a big, it's going to be a big chunk of it, so plan on it. It won't be the same as your ERP. It'll be a nice chunk. 

Nikhil: Why don't you tell us a little more? What does the job of a cyber analyst look like? Simple things like, what do you think you'll be doing day to day?

Gordon: If the systems are not in place then obviously we know what that means. Someone's got to design, architect, and ensure the processes are there, mature the organization to a level that it's proactive. So that's not day to day, but it will be day to day until such time that now they're operating as more of a security operations center.

Day to day is just looking at many different alerts that say there's something going on here. There's a phishing scam coming in. There's an attack occurring at this facility. There's a denial of service happening here. They will look at these threats, assess them, and just make a decision whether or not it needs to be escalated and we need to further lockdown or further activity. Sounds like I just got into a movie. Yeah, it is. Yeah, it's no different than just, you basically have, daily tasks and you have immediate alert and response activities. Now, highly recommend that if you're a small to mid enterprise size, you can't do it yourself because it might be cost prohibitive. So, make sure that you have a cyber analyst or two or three. And make sure you have leadership that's driving that. And they get the right education, the right certifications. They're staying on top of what's happening out there.

They're connected to the right organizations. You can be part of InfraGard, which is part of the FBI that briefs companies on emerging threats so you can have advanced knowledge of what's coming or trends or a new key threat that could shut down infrastructure.

 These things are current risks, there's a lot of people focused on it, probably not enough. But I would encourage, back to my suggestion to make sure you choose a vendor that can detect and respond and eradicate threats as a service because then you're not hiring your own team to do that.

That could be two, three, four people, depending on the size of your enterprise, it could be a lot more. Making sure you do that, making sure that's all connected and authorized by your cyber insurance company and they agree that they will pay them in case there's an event. Because a lot of times they'll force you to use their team.

So you need to understand. So you need a playbook, you need to do a desktop or conference room pilot where you go through the steps of hey, we've just been breached. Simulate those steps and see what happens. Hey, how do you get to the end? And are you exercising that memory muscle, to know what to do next? Super important.

Nikhil: If we take this conversation more than on the career's side. Let's start with competency. Ultimately, when it comes to cyber security, if you talk about any manufacturing professional in any organization or even manufacturing leaders, all of them, is tolerance then pretty much the competency or is it vigilance?

What is the competency that everybody needs to Periodically test themselves or build on? So that, cybersecurity becomes a habit more than a one off thing. 

Gordon: Again, it's got to be part of the conversation for any existing or new plan to deploy new capital equipment or systems, as long as it's part of the conversation and there's someone to drive the plan successfully, then it's there. You'll have potentially a security operations center, whether in source or outsource or hybrid. That's going to constantly evolve what needs to happen. If I were in manufacturing, I would get a hold of 

the project teams or the engineers or whomever is pushing or manages the existing equipment and you have to take full inventory and do an assessment, you need to talk to the folks that are in charge of all the OT connectivity. Meaning, the PLCs that we talked about that run the machines, the brain of the machine, and make sure that they're aware and they're getting training and they're following the right, best practices for security.

If you talk to a lot of the manufacturers of the PLC, the programmable logic controllers that run these machines, the brains of the machine really, they all have, This kind of expertise in house, but in a heterogeneous environment, I may have built this machine with this brand of PLC and that brand of PLC and now I have all kinds of different systems and there's no longer a standard, therefore I can't really easily use one vendor security solution specifically designed for OT. I may have to take a step up and use something more IT focused and taking care of that for you, you still have to integrate that into IT. But which really depends on the size of the organization. Which system they use. 

Nikhil: Let's take an example, like High schoolers, people doing undergrad etc. All of them are usually excited about AI, The next tech stuff.

The thought process always is that all that is not needed in manufacturing. But you're clearly seeing that everything is applied in manufacturing. From a cybersecurity standpoint will all these next Gen tech, whether it's artificial intelligence, machine learning, deep learning, would they all help in preventing cyber threats?

Gordon: There's a potential for the new kinds of automation or at least, communications make more sense about what's going on, right? GenAI can facilitate that. Looking for patterns or deep patterns, AI generally, definitely has a role there in security. If I were in university right now or high school, I would make sure security is something that I want to do, right?

I would go through all the steps to learn a network stack I would learn it all. Because you're gonna need that expertise to drive AI, right? Learning AI, learning how to do prompt engineering, learning how to apply  AI in managing let's say your daily task and whatnot to help you identify issues faster will be a key prerequisite for employment probably in the next five years.

So you can't ignore it. 

Nikhil: What I'm hearing is that, fine, you have to learn the new gen tech stuff, whether it's GenAI or machine learning. But you're saying, combine that with the foundation, so if you're in manufacturing, you need to learn about networks because that's drive and that's what moves information around.

What else other than networks would you say, if you were to basically go and hire candidates from school undergrad, What other than these experiences that you would look for, that they should prepare for? Because when they come in, you're gonna teach them manufacturing.

That's the easy part. I usually think that we are looking for the things that we need. That's why we are hiring them. Thoughts on that?

Gordon: If I was looking to become a security professional. I would spend a lot of time learning about industry 4. 0 and maybe 5. 0 now. I would learn about it because it shows that's required to operate efficiently in a manufacturing environment, right? And, it doesn't talk a whole lot about security, if your mindset is, I want to be a cyber analyst, I want to be a certified security officer, all the different acronyms, then maybe, I have a chance at facilitating to security at the IOT level, right? It all interconnects, but each company's gonna be different, that might be a consultant that's coming in and telling you which way to do it, in the end it all integrates, right? It's all potentially on similar networks or isolated networks. It's still, you have to have connectivity.

A lot of the equipment out there has the capability to either phone home to the vendor, to report, hey, I need to order more ink for this device, or I need service, or maybe it's a subscription device, meaning I, pay by the unit produced, I don't make a lease payment on it, I just pay how much I use it, it's either by hours, by unit, and they phone home to the vendor who made that equipment, that's a potential security risk.

In the printers that we buy these days coming in where they're measuring your ink levels, and they give you that as a subscription that, hey, if it goes below a certain level, they automatically replace. Yeah, that's a good example where that could be a potential threat.

Then you have service and support, I just bought a million dollar machine, two million, whatever the number is, ten million, and I need this company in a different state or different country to service that remotely, middle of the night, do they have to be able to connect to that machine? I thought we needed to put a firewall around that machine, I thought we had to isolate it to protect it from bad actors. Yes, But they still need to be able to connect to the machine, correct, right? And that all has to be thought out, there's ample opportunity for a cyber, a cyber professional, a security professional pick anywhere along that ecosystem and find a niche where to live.

But I think that machine learning with AI is probably the thing I would start doing now. 

Nikhil: And if we go a little back where we are talking of high schoolers, like, parents always ask me you've been in the industry for so long. Why don't you talk to my son or daughter and tell what do you think he can do? The one interesting exercise that I've always been fascinated to do is, I ask them if you got up at two in the morning, what would you want to do? And ultimately I'm trying to ask them what is their natural behavior? Flipping that same question to you for a high schooler, if he wants to understand that maybe cyber security or that area is an option for me, and I should dig a little more deep into that subject, what is the behavior would you think of that if they see it in their kids and this is, you're answering to the parents.

Gordon: That's a tough one because that generally evolves. You want to have a background in an asset or a service or a software, then eventually you come to protecting it, right? Yeah. You don't say, I just want to protect stuff okay.

That's a hard transition, if somebody is in high school and they're talking to their counselors, I'm trying to figure out what I want to do.

We'll go to college and possibly they realized that there's a really good market for certified security officers, basically, or chief security. Yeah.

They look at that as hey, this is going to be a really good living. It's going to be interesting. They're always getting that foundation, which could be operating systems, software development, networking, administration, system architecture, infrastructure, It all starts in that seed currently and maybe they have a passion for one of those. Ultimately, they're going to have to protect it, right? And if they find themselves really enjoying that protection, what are they going to do? They might gravitate toward security.

It won't be an economic decision, as much as it'll just be a passion. Building security systems or software is almost no different than creating a new business app or a new game. It's creating, right?

There's a tendency for security to enforce. Be an enforcer or a rule follower

that can help too, but that's a tough call just to go directly into security you have to have an area of interest or you could be situational. All I work for a manufacturer, I'm currently running this machine, but I want to maybe elevate my income or I want to move in an office environment. What are the opportunities? Oh, what's this security? It can happen. Just basic is that.

Nikhil: Wow. That's very interesting. Yeah, I always used to think that if problem solving is one of the areas that people like, then security always requires that. Yeah, you need to be problem solver, but it's very broad.

It can apply to many but if you're a problem solver and a critical thinker, like your critical thinking ability, you don't take anything at face value. I don't believe you and you investigate, yeah.

Gordon: And eventually you don't have to investigate everything, right?

That's where the fuzzy logic comes in, we all live on patterns. If you think of that, we emulate patterns. That's how we learn how to speak, that's how we learn how to eat the right things and not eat the wrong things, not always when it comes to donuts or whatever. But everything's a pattern, and this is a talk that I give to a lot of folks that say I know brand A software, but I don't know brand B, so I could never go work for someone who's using brand B.

And I say wait a minute. They both do the same things, it's just you're not used to it, and the interfaces are different, and the clicks might be different, but the process behind the scenes is get something from A to B to C is the same. It's called an enterprise pattern.

It's just, you couldn't, operate at full efficiency until you got used to it. 

Nikhil: I came across so many people like that, like C sharp and Java is like, they just not want to switch as it's the same thing. Amazing Gordon with this thank you so much. It was great having you. Yeah. Thank you. 

Growth Unplugged, the conversations will go on. In this episode, we covered cybersecurity and manufacturing, with me was Gordon Twilegar from, PAC Worldwide. He's the VP of Global Information Services. Gordon, if somebody wants to reach you, how do they do that? Hit me up on LinkedIn. Awesome. The question that we ask, at each episode to each one of you listeners is what are you going to be doing, as part of the strategy and the policy in your manufacturing for cyber security. With that, thank you for listening