Nexus Podcast: Jim LaBonty on Building an OT Security Stack

Retired Pfizer global head of automation engineering Jim LaBonty recalls many work-related conversations with his IT counterparts eventually raising the same question: Why can’t you standardize on one tool or vendor in the operational technology (OT) manufacturing space? 

This would send LaBonty into a dissertation explaining how architecturally, once you get close to the factory floor, standardization splinters in a myriad of vendors, proprietary protocols, and task-specific devices and technology. 

This is the reality hitting CISOs being tasked with securing OT—and IoT—in addition to the traditional IT enterprise.

“The guiding light for the IT world is to standardize and one solution will fit all for most,” LaBonty said. “That works really well and try to get down as close to manufacturing as you can and there comes a point in the architecture where it just balloons out into a plethora of different technologies and use cases, especially when you get very close to the manufacturing floor.”

Subscribe and listen to the Nexus podcast on your favorite platform.

In this episode of the Nexus podcast, LaBonty says CISOs must prioritize finding how far they can standardize and use common tools for rapid updates and upgrades, and then build a specialized OT security stack from that point to the factory floor. 

“There comes a point where as you get closer to systems and technologies that are controlling equipment and devices on the floor that are making actual manufacturing happen in real time. At that point you got to like you got to look for other solutions, other technologies. That’s the key point where CISOs struggle with that balance of how far can I push down a common strategy, and then where do I need to then leverage custom, bespoke technology that’s really designed for the production, OT world. That’s very key.”

As CISOs transition to a converged environment, LaBonty points out that OT security operations centers (SOCs) are a rarity. As OT security technologies feed into the IT SOC, it’s pivotal that SOC analysts bring in asset operators and engineers to decipher alerts before taking action that could impact manufacturing processes, for example. 

“Having those communication connections between a SOC and your site's key individuals so they can have an intelligent conversation if anything's happening so they together can figure out exactly the path forward,” LaBonty explained. “It takes both and the reason it takes both is the IT SOC will not have a detailed understanding of that manufacturing site. They'll know it's manufacturing, they might know what product is being made there. They have very little knowledge or no knowledge of exactly how the systems are all interconnected and what they do in their function.”

LaBonty also spends some time during the podcast sharing some of his experiences throughout the development of Pfizer’s Covid-19 vaccine. Pfizer had no manufacturing capabilities for an mRNA vaccine at the time, meaning they had to build those in short order to meet the ultimate demand for billions of doses of the vaccine. 

This meant not only locking down manufacturing and preventing any impacts leading to disruption, but also looking closely at the security and safety of the supply chains supporting vaccine development. 

“Manufacturing risk: The big thing with Covid is zero manufacturing risk. We have to produce the Covid vaccine and we cannot stand one impact from anything. So what did that actually mean? It meant scaling up the security watch and focus across the whole supply chain. That became No. 1 was the whole supply chain. It even came down to the minus-80 Fahrenheit freezers that were football field sized freezer farms.”