Bridging the Gap Between OT & IT for Improved Security and Better Managed Risk

Fraser Brown

Global Head of Information Technology at BrewDog

Learning Objectives

As industrial and business systems become more and more connected, they also become more exposed to vulnerabilities. The digital revolution is forcing IT and OT to integrate, meaning that we have seen a rise in destructive malware attacks against manufacturing and energy and utilities organisations, fuelled by this IT/OT convergence and a proliferation of remote access to OT. Convergence of OT and IT is not a new concept, but in the current global climate is as important as ever with a much more distributed and fragmented workforce.

Key Takeaways:

  • Where to start and focus with converged OT and IT systems?

  • What are the common vulnerability points in converged structures?

  • How to mitigate risks in converged structures?

  • The ‘people element’ within converged IT and OT to consider?

"Don't just sit there looking in. Get involved. Roll your sleeves up."

Fraser Brown

Global Head of Information Technology at BrewDog


Well, good morning. Good afternoon. Good evening. Whatever time you’re watching this, my name is Fraser Brown. I’m the Global Head of Information Technology BrewDog. And today, I’ve got the pleasure of chatting about bridging the gap between IoT and IT for improve security and better managed risk. This is something which is close to my heart working BrewDog. And with all the work that we do with regard to your production, and getting that logistically sent all around the country and beyond. So this is something which has been close to my heart since starting at BrewDog. So without further ado, I will crack on with some slides, nothing too onerous. I’ve even got a video a bit later on just to mix things up a little bit and making it a bit more exciting. But obviously, if you’ve watched any of my presentations before, I’ll put up a gratuitous slide with our viewers there just as a way of showing the kind of things that we produce. Hopefully, you’ve tried some of those, if you’re not, I thoroughly recommend that you do slightly bias there, of course.

As I was saying, 40 is prevalent in brewing, you know, it’s something which there’s no escaping from, you know, OT is not a new thing, either. And ot security and IoT security coming together, again, is not a new thing, but perhaps is becoming more prevalent and relevant. In the age that we’re living in at the moment with more and more folks are working remotely, and needing access to all the data that we have across the organization, you’ve got a bit of a joke, it’s BrewDog, that anything with a plug comes to it. And and I think that’s that’s not a bad thing from the point of view of 40. And the security elements there in, you know, historically, we’ve been involved with, or T we don’t have a massive team, I think some organizations probably have the benefit of having huge teams, dedicated ot security teams dedicated IT security teams, we can cover off a multitude of sins within it within BrewDog. So we’ve been heavily involved in that kind of crossover, which is probably why I’m talking about bridging the gap, something which is a bit easier for me to talk about, I think so. Yeah, we get involved in anything, whether that’s the vending machines, we have specific vending machines within our production areas for personal protective equipment PPE. Or for if it’s for management consoles, for the gigantic stills and the canning lines, we get involved in what we’ve got up on screen there. It’s just a representation of the kind of information which is available to our guys in the production lines. But as we’re seeing more and more, so we’re seeing this needing to be accessed remotely, which is fine, you’ve got a picture of an iPhone there, we’re now expected to be able to let the guys see this when they’re working from home, as well. So I mean, it’s really kind of transcending across multiple facets of the IT network and depending on your your, your it setup can be problematic. So I mean, I think a lot of the times, historically, within BrewDog, we’ve been involved at the tail end of the process with discussions about things coming online. We move at such a rate and ours is unbelievable. We talk about dog years BrewDog. So you know days like a week, we move really quickly, to the extent that we might not within it be aware of stuff coming on to the production floor by way of equipment. So quite often we’re at the tail end of the discussion, where are they in their selection has gone through. We’ll get an unceremonious email landing in our inbox. And we basically have to jump on and deal with it. And it’s interesting, I was chatting about shadow I T and another presentation. Sometimes or tea feels a little bit like the better off cousin of shadow IT. And as much as we know that we need to really do the OT elements because a lot of the stuff that we do is clearly around efficiency and getting as much beer available on the door as possible. So there’s a whole lot of stuff there that we need to face into the slide in front of you is actually essentially quite a camouflage picture, but you can actually just make out the cans on her the canning line there. But all tea is really super important to us BrewDog.

And I guess there’s a distinction of owns, or T security, an IV security. So it is security, you know, is not looking at confidentiality, integrity and availability as we tend to be within it. But it’s usually on the safety, the liability and unavailability. And I guess also within that challenges I’ve mentioned there, it’s about improving the process efficiency, we also want to be able to share as much data for more tea in areas like finance. So integrating with it is a must for us within BrewDog. So we’ve got an ERP system. So there’s a lot of data that we’re needing to share from the production guys in terms of the the capacity, the canning, and how efficient everything’s working from a brewing point of view or a distilling perspective, through to the finance guys, and also through to our warehouse Supply Chain management teams. So we have a real kind of crossover, I think, and some other organizations don’t necessarily have that need for the crossover. But for us, we certainly do. So for us bridging bridging across 40. And IT security is, is really, really key to us. The displayed on the screen is actually our marching distillery, which is lonewolf, which is again in in one of our production areas. I think when when we put up a lot of these pictures, and when I showed the video, what I’m trying to show you is the kind of complexity. Also, if you look closely, you can probably see some data cabling as well. Running through the system. So you know, everything’s connected to within within our setup. Again, that probably wasn’t necessarily the case, a few years back, but we have moved on leaps and bones and the capabilities that we’ve got, we’ve moved on leaps and bones in terms of the way that all tears no trying to link in to things and I’m going to touch upon the kind of Internet of Things element here as well. So I mean, I think the lack of sight of things coming on the network has been the problem in the past. I think also the fact that the production areas don’t necessarily hold the third party vendors to account from the point of view of the security, you know, if you think about it, and that’s just bonkers from from the potential that you have to impact in production, and depending on how your network structured to white, whiter parts of your business as well. I think, therefore, the challenge is probably getting harder in terms of more connectivity to the internet. So this is something that will continue. I think there’s a there’s an expectation, the IoT devices, is due to double by 2025. And there’s also I think, a Gartner Gartner report, which said that by 2025, three quarters of all ot security will work hand in hand with more recognized ICT security. So we know that it’s coming together, you know, so even if you’re not looking to bridge No, I would suggest you start doing it, it’ll start to happen more naturally as the different ot vendors and suppliers start coming together with IP security. And so on that basis, it’s inescapable, you’re going to need to bridge whether that’s done to you or whether you’re going to take that metal and grasp it and go with it. And so from my point of view, is just try and onboard as much as possible and work together to make things more smooth between the two departments. Because from our perspective, 40 training to a whole justice is not something we want to think about, you know, not being able to produce beer is not something we want to really think about not being able to get to the warehouse is not something we want to be thinking about. And let alone not having the data is not something that our finance guys would be able to, to live without. So, you know, it’s absolutely incumbent upon us within Riedel to make sure that we’re bridging that security gap. And I guess it all again, as I said, it depends on your network segmentation depends on your investment and firewalls and edge gateways and the like. But, you know, keep keep, keep an open mind. So the way that we like to kind of make people aware of what’s going on and focus the minds on, you know, holding vendors accountable for the security elements is by bringing it to life. So this slide is about the fact that again, I’ve made it mentioned in previous presentations that, you know, our guys think that we’re too cool to be attacked,

which is just nonsense. You know, why would you, you know, again, I understand, why would you want to attack a cool company making beer and gin and vodka and rum. But if I Why does anyone want to attack anyone that’s for money, especially if we were going to crewing about how good we have been at, you know, getting funding through our equity for punks. So this is a display that I’ve used in the past just still, it doesn’t matter how big or small you are. So the iron brewery brewery makes some great beers. Not that big, but they’ve been hit with a with a ransomware attack. Also, big companies like Jack Daniels compiled and probably the one which is most relevant in terms of the impacts Molson Coors, who were massively impacted from the point of view of the couldn’t produce beer, they couldn’t get things out the warehouse, and indeed, they’re still recovering from from so there’s massive impacts, not from not just from the point of view of working as a business, you know, how do you recover as a business? So you might get, you know, ransomware so that I think we can parry one thing that was a $15 million impact to them with from a recovery perspective. But also, you know, do you recover your brand and do you recover customers because customers need products on the shelf? So if our grocery sales are impacted, was unbelievable, like Tesco, Sainsbury’s and Asda, for example, will go elsewhere to fill their shelves. And do you recover that shelf space back? Who knows? Perhaps not. So we’re bringing this belief a bit more has been core to those discussions and making people understand the impacts and making sure that we are working together from an OT nit point of view. There are a couple of smaller ones on there one in Australia the lion lion booty, they actually got hit twice. The first time they didn’t actually get rid of the the the cyber attack that happened upon them sort of he got hit again. I don’t agree and then there’s a smaller one there with a company in the Channel Islands so it’s been core to changing that perception on security within within Moodle. I think we’re getting I think we’re getting there and I’m going to show you a little video now. Reagan all around in

the night


Never stops we are the music was by Motorhead I think the transcript whiplash, not my choice. But I just wanted to show you that again, just to I guess break up the this kind of can be a bit of a heavy conversation and show you something pretty cool, because watching cans who are owns getting

ready for heading out the door is actually quite cool. But also, I think if you if you look closely at that video, you’ll see various scanners going past you’ll see various cables, data cables. And again, that was just to show you the kind of the way that or T is clearly embedded and linked with it and the information that we need to get out. Because clearly, we need to know the numbers are whizzing by, we need to know what kind of wastage that we’re getting through the canning process through damaged cans, on the lake as well. So there’s a lot of data that we want to get out to improve our efficiency. And also to get as much data as possible to our finance guys and also to our Supply Chain teams from a logistics point of view of how much how much we can get out the door, as well. So hopefully, if your years have recovered from that track, I’ll move on a little bit and talk about the takeaways that I think you can hopefully take from from this session. And this is what I kind of believe you need to look out for from a bridging the gap point of view. So you can take it or leave it and there’ll be other things over and above this. Absolutely sure. But this is this is my view. For what it’s worth. So takeaways, increase your training, security awareness. At BreDog, we’ve upped our awareness and training. So we’ve done the sessions to kind of show the impact to other companies, other brewers, other distillers. Also, we’ve done a piece with a really cool startup firm who specialized in cybersecurity training, and awareness with full on simulations to check how the learning has gone. And that’s just going to be a constant thing that we keep doing. And we keep that awareness throughout the organization and building that. That kind of understanding of security. So we don’t cut corners. And we don’t just lob things in if that kind of breakdown and communication happens, which hopefully it won’t going forward. The other element is that increased stakeholder management. And again, a lot of this is common sense, you know, be that open door. And no, Don’t be the kind of person that’s saying no, be involved in the conversations, and the conversations with the vendors, on the expectations on security. So, you know, making sure that the guys are asking about cybersecurity credentials and certifications, if that’s appropriate with the vendors. And the communication is key to that. And also flip it, flip it on its head a bit. Don’t just sit there looking in. Get involved. roll your sleeves up. So I know in my time at BrewDog what I find super beneficial has been getting on my PPE getting on my Google waistcoat, getting all my safety goggles and boots, and actually going into the production areas and chatting with the guys and seeing the different screens, seeing the different inputs, and seeing the challenges that they have, and understanding how things are hooked up, whether that’s through the Wi Fi, whether that’s through our cabling, as well, and understanding where the details go and kind of follow it through. I think one of the things I’m really looking forward to trying to do is, I’m a real fan of these programs on the telly, which kind of show you how things are made to insulate the factory, I think it was one of the programs, but they are really keen to try and do that for my guys, and the wider organization within BrewDog. So we can follow things through from start to finish and bring it to life for everyone. But from the point of view of the system’s interactions that will involve also just training and understanding point of view, I think now, that has really helped with the conversations around making sure that we’re kind of joined up on at an IT security. Another element there is their own network segmentation. If you don’t already have it, you know, I would recommend trying to get that started. I know it’s not always a cheap, cheap project or program of work to do. But I think I think if you’re serious about protecting your OT and your IT, and making sure that, you know, attacks can’t spread further afield, if you can get the network segmentation on I think that’s massively beneficial. Equally on a touched upon earlier honor and firewalls and Edge Gateway setup. Again, if you can do that, you’re helping to, I guess, isolate from from issues on the network and just provide an additional security element.

From our point of view, as well, we’ve been doing a lot of stuff on continual penetration testing and vulnerability management. So again, we’ve got a neat tool that we’ve just rolled out. I think this, this paid dividends straight off the bat, whereby we ran our kind of first reporting, and we actually pinpointed some key areas where we needed to close gaps on the OT, effectively, the penetration testing went across our entire network of states, and actually pulled back, it was actually a Windows Windows seven machine, which hadn’t been patched for wanna cry. And that was relatively recently. So we we obviously fixed that to deal with that. But that was actually a vendor supplied PC, which should have been patched and handed in by the vendor. So we’ve kind of opened that conversation with the vendor. And also patch that. And we’ve now got that ability to just check to see how things are doing. And also, again, if we missed out on being involved in conversations of stuff coming on the network, we can run this afterwards. But the ideal is with vendors is almost do that security hardening before something goes live, to kind of, again, remove the risk, and any kind of gaps that we might see, at least trying to reduce the risk of an attack, which is all we can we can all really try and do. Now there is you know, you don’t have to do it alone, you don’t have to do it by yourself, you can work with partners to review it and IT security, there are loads of vendors out there in the OTC space. They’re constantly reaching out to us to talk about doing the review, and kind of looking at holes as well and provide you with that path. Because as we’ve talked about, not everyone’s got a massive team that can just pick this up and deal with it. Not everyone’s got an n o t security team, or even an IT security team. This just provides a level of comfort to the board as well, if you can, you can partner up to review, review with a vendor as well. So you can do that as well. And I guess, you know, my last bit on is just the constant, not not necessarily just for this. It’s just that constant learning, you know, coming to events like this, going on to the various chat, the chats that are out there from a CISO point of view, and I know t as well. There’s loads of information out there. Don’t Don’t worry about it, you know, there’s no, I guess, there’s not always 100% right answer for you and your organization. It’ll be a blended approach from what’s out there, learn about best practices, what other people have gone through, as well. So, you know, reach out and understand what’s going on, roll your sleeves up, and listen to other people’s challenges and approaches to because they’ll always be something new there, which I have not heard of. And as with all of these things, it’s a constantly shifting landscape. So keep on top of it. So that’s all for me on this. If you’ve got any questions, please feel free to drop them into the chat and I’ll no doubt pick this up in today’s course. Thanks for listening

Get full Q/N Access

Sign up to Q/N with a few details to watch this presentation.

  • Hidden
  • Hidden