Inside the Rockwell, Church & Dwight OT cybersecurity team-up
After a report last month that portends the widespread vulnerability of industrial OT, consumer goods manufacturer Church & Dwight Co. and industrial automation and digital transformation giant Rockwell Automation this week detailed their work to bolster C&D's network of operational technology and minimize the risk of intrusion.
Church & Dwight has locations across the U.S., Canada, and the U.K. and controls 13 home and personal care brands with such diversity as famed baking soda maker Arm & Hammer, Oxiclean, Trojan, Waterpik, Nair, and Orajel, so its OT footprint is wide—and cybersecurity for those widespread manufacturing systems is top of mind, company officials said in advance of the March 13 announcement.
See also: Clorox cyberattack to cost up to $593 million
See also: Microsoft hack tests new SEC disclosure rules
“We selected Rockwell Automation because we were looking for a new partner to help us up-level our OT and manufacturing security posture,” according to David Ortiz, Church & Dwight’s chief information security officer.
“We knew we needed the best of the best who understood our vision. Throughout our work with Rockwell Automation on our OT cybersecurity program, we’ve gained a thorough understanding of our cybersecurity landscape and the tools needed.”
Last year, Rockwell Automation released its widely distributed study of manufacturing cybersecurity, "Anatomy of 100+ Cybersecurity Incidents in Industrial Operations." And like the February report from the Michigan-based Ponemon Institute and remote access management solution provider Cyolo, Rockwell’s work portends trouble for manufacturing OT.
Overall, the number of cyberattacks against manufacturing and critical infrastructure continues to rise, Rockwell reinterated in its joint statement with Church & Dwight, noting critical manufacturing was one of the most frequently attacked verticals in the OT/industrial control system sector.
Quiz: How vulnerable is your OT?
According to their joint March 13 statement, Church & Dwight saw the importance of a strong OT security posture and enlisted Rockwell.
The company’s goal was to gain a deeper understanding of its manufacturing risk profile by identifying critical assets, vulnerabilities, and security gaps. After examining and prioritizing risk, Rockwell collaborated with Church & Dwight to develop a remediation roadmap, new security policies, and other measures to minimize the risks.
The two companies’ March 13 statement came out in conjunction with a downloadable Rockwell Automation case study on its work with the consumer package goods manufacturer to modernize its OT cybersecurity.
“At Rockwell Automation, we firmly believe in helping organizations recognize the importance of OT cybersecurity,” said Mark Cristiano, global commercial director at Rockwell Automation. "Over the course of our partnership with Church & Dwight, we have implemented new security controls and processes and have already seen a dramatic shift in the company's OT practices.”
Webinar replay: New SEC Reporting Requirements and Your Cyber Defenses
Church & Dwight expanded its longtime partnership with Rockwell in 2020 to advance its Manufacturing Cybersecurity Program initiative.
Since then, Church & Dwight has achieved its cybersecurity objectives in mitigating risks and understanding its OT landscape, according to the March 13 announcement.
Once threat detection capabilities were in place, Church & Dwight implemented continuous monitoring through managed OT services from Rockwell. These managed services integrate and support Church & Dwight’s current IT Security Operations Center, bridging the gap between IT and OT networks, and mitigating cyber risks across their enterprise.
During the early days of the COVID-19 pandemic four years ago, Church & Dwight CISO Ortiz was put in charge of a strategic mission: Expand his company’s manufacturing cybersecurity program to include new capabilities for lowering cyber risk, according to the Rockwell case study.
Video and podcast: Closing Gaps in Risk Management: Technologies to Ditch Your Old Processes
Ortiz also understood that the cost of inaction could be extremely high. Even before certain industrial cyberattacks gained public attention—such as the Colonial Pipeline shutdown in mid-2021 and the Clorox production disruptions in September 2023—it was clear that without visibility into networks, assets, and incoming threats, the risk of manufacturing interruptions increases.
And if the organization had to withstand such interruptions, secondary effects could result, like slowed response and recovery times, negative publicity, and revenue or stock price impacts, according to the case study.
“We needed to better protect OT operations,” Ortiz explained. “At the core, that meant we needed more visibility across IT and OT networks.”
Government's watching now, so companies must comply
As of just this December, the U.S. Securities and Exchange Commission started requiring all public companies to follow two principal rules.
First, in their annual 10-K filings, companies must report their cybersecurity risk management, strategy, and governance. The yearly 10-K is supposed to be comprehensive, with information about company history, organizational structure, facilities owned and now their cybersecurity posture.
See also: What’s in store in 2024 for cybersecurity, AI, and securely bridging the IT/OT gap
So, all companies now must describe in the 10-K how they identify and manage material cybersecurity threats, the “material” damage that a cyberattack might do, past cybersecurity incidents, how much oversight its board of directors has, and how management assesses and manages material risks from cyberthreats.
Second, unless the U.S. attorney general determines that the disclosure poses a national security or public-safety risk, companies must, within four days, disclose cybersecurity incidents that they determine are “material,” using a new item line on their Form 8-Ks, the form they use to report major events shareholders ought to know about.
Clorox “pre-complied” with the brand-new SEC rules in the reporting on its fall 2023 intrusion to the government, its stockholders, and later the media.