 Joyce Fassel, Editor-in-Chief of Pro Food World at PMMI Media Group, and I'll be moderating this discussion. Plant cybersecurity is becoming a growing concern for OEM and CPG companies alike. Threats to plant information networks and interconnected machinery lines can have a negative impact on productivity. This webinar will help both parties understand the climate in which we operate today and the risks and potential rewards of remotely connected process and packaging machinery. The goal is to enable safe and secure remote diagnostics and assistance by the suppliers of current and future equipment in manufacturing plants. This results in improved operational excellence and supplier value. PMMI's OPEX Solutions Group for Secure Vendor Access is a team of CPG and OEM subject matter experts from more than 20 companies who are sharing their expertise by developing these much needed industry guidelines. Now before I introduce our speakers, I want to let our audience members know that this webinar will also be available for archived viewing at profoodworld.com. You will receive notification when it's ready and the slides will be available for download from there as well. Please feel free to ask questions at any time during the webinar by typing your question into the questions pane of the GoToWebinar control panel. We will take some time at the end of the presentation to address as many questions as time allows. Today's webinar is being sponsored by ProMoc. So let's get started by introducing our speakers. Robert Darje started with AMWA as an industrial master electrician in 2007 and since then he has moved into engineering and is now currently a senior electrical engineer. Robert Darje developed the global Ethernet control network standard for AMWA corporation and leads those installations. In addition, he has been involved in many multimillion dollar packaging line and process installations throughout his career at AMWA. Mark Rueberg, vice president at ProMoc is traveling outside the country today and is not able to join the webinar. Filling in for Mark is Steve Schlegel, managing director of PMMI's OPEX leadership network. So now I'd like to turn it over to Steve Schlegel to begin the presentation. Thanks, Joyce. And welcome everybody to this next webinar from the OPEX leadership network. And we very much appreciate ProMoc's support of this and frankly the entire industry because this is a very important and timely topic. So today what we're going to go through from an agenda standpoint is I'm going to bring everybody up to speed on the OPEX leadership network where we've come in the past eight years. And then from the secured vendor solutions group, we'll discuss the issues, the opportunity itself, what we're trying to achieve and share with you the tools that we are developing to help your companies address this important issue. So from a standpoint of who is PMMI's OPEX leadership network, we're a community of manufacturing engineering and operations professionals who have come together to share collective experiences in a collaborative way to solve common, non-proprietary, non-competitive issues in CPG manufacturing. So to date there are over 250 companies of CPGs and PMMI member companies who have participated in the development of these practices. And through the generosity of PMMI, we're proud to say that all of these best practices are available for free download from the industry and I'll show you that in just a minute. The OPEX leadership network was founded by PMMI in 2011 and to date we have developed and published over 16 documents, best practices and guidelines and resources for the general use of the industry. As you take a look at the image in front of you, this wheel, we've divided it into three parts, people, process and technology. Let me touch on one of each to help give you a flavor of what these represent. At the top of your screen, you're seeing workforce engagement. In this area it is the development of your existing very important people assets in the organization to have greater performance and output and reliability and quite frankly enthusiasm for their jobs and the work that they do. On the right of your screen is process. One of the key items in this process area is a document. One of our first publications is the validation of the kill steps of salmonella in low moisture foods. This has been recognized by the FDA as an industry go to resource and quite frankly the FDA uses it in their training sessions and recognizes it in the FISNA document as it relates to this very important topic. Right next to that is CIP and I just want to make a quick call out on the CIP document because we have just completed the peer review process of this new document which will be available, published, and made available on the OPEX website in just a matter of a few weeks. Then to the left of your screen is technology. In technology that is really focused on the capital spend. Here we're looking at areas like factory acceptance tests and total cost of ownership. Those documents combine actually all 16 documents when you roll it all up. There have been over 8,000 downloads of these very valuable presentations. I'd like to take you to the link that I just went to is the OPEX leadership network and here you can see on your screen the home page of the OPEX leadership network and where you can download not only the publications but get valuable information and insights to help you in your journey for operational excellence. So coming back to the presentation what I'd like to share with you now is identify those 20 or so companies that Joyce mentioned who we very much value their participation and guidance and leadership in the secured vendor access solutions group. As you can see it's a very diverse group, large and small companies alike and we very much appreciate what they have brought to the table and that's quite frankly the efforts of their work. It's a work in process that you're going to be seeing as in the remainder of the presentation today. So what we're going to be sharing with you is where we're at and give you a glimpse as to when will this be published for your use. So as you can see on your screen the goal and Joyce referenced it in her opening comments is that we're trying to create something that both the CPGs and the suppliers can benefit and have a mutually benefit relationship in the industry on this particular topic. We want to be able to enable the safe and secure remote diagnostics that in essence would relate would result in improved operational performance and value to the suppliers. Fundamentally we're calling our work product a best value options analysis. What we intend for that to convey is this is a document to help the conversation between the technical community, the IT and engineering community who has to work together to develop these solutions but also to the non-technical professional, the business folks in your company so that they can make a better informed decision as they guide your companies going forward. So keep that topic in mind the thought of best value options analysis to enable you to have a better decision-making process. So with that let's take a look at what we're talking about. Here you're seeing the overview and what I'm going to do is give you the overview and then hand us off to Rob in just a minute or two so he can share with you in greater detail what is in particular the pluses and minuses of each of these approaches. Excuse me but as you can see here that what we have is basically six different methodologies from very sophisticated to the more standard and routine. The way to help us communicate the best value options analysis is this grid. A good way to look at this grid of the six methodologies balanced against down the left column the attributes this will help you ascertain from a least to most scenario. So let me give you an example. So as you look down the left hand column you can see the skills required to install select install and train on a particular methodology. So in the one met the first one that you see direct VPN has four computer screens on it. That indicates that that is the most complex in this regard the most skills required whereas right below that the OT skills required the operating technologies that it's pretty straightforward to use. So if you will this is modeled after if you use open table for example and you see one dollar sign you know it's going to be the least cost restaurant or if you see three or four dollar signs now you know it's going to be the higher end of the scale the most cost and so on down the line. So we've broken this into the technology skills required both IT and OT the acquisition cost and operating cost the reliability of that particular method and what you're looking at there is chain links. So how strong is that chain if you will and then the protection both the operational protection and by that we mean the protection to the enterprise within the four walls of manufacturing and then the business protection which is getting up into the business enterprise and finally is the value proposition as you see on the bottom row and that really is left blank because that's up to you this is sort of a guideline to help you have the dialogue and encourage that dialogue to occur within your company. So with that I would like to bring introduce you to Rob Darje from Amway who will take it from here Rob. Thank you Steve. I guess we'll dive right in so the very first one is the direct VPN and pretty simplistic we can move to the next there thank you. So some of the benefits leveraging the external partners and the speed to the solution is very easy some of the risk we'll talk about password management and also updating you there just seems to be a pain point with direct VPN and let's move to the technical so basically what we're looking at here is that you got an outside vendor and they VPN to the enterprise of a VPN portal of the CPG and based on the credentials they're able to get to the certain network that they need to to that that piece of equipment. So the best value option nails is here again the IT skills to set up a VPN I think we're all used to VPNs we VPN into our own networks to work from home if you will or work on site but it takes a lot of skill from the IT network to set one of those up but once you do it's easy to VPN in you use your own VPN software that's already installed on your laptop and the reliability of the method for this is it's pretty strong but we'll go into some connectivity things here so basically there's two types of VPN you've got connectivity continuous and transactional and some of the cons are very high level of IT support to both OEM and on the CPG side to install and support when you have continuous there's also some issues that arise from ownership of data and storage issues who's going to have that who's going to manage it but some of the pros to is a leveraging service support and speed the CPG has access to OEM for very fast assistance from an SME standpoint so there's some pros there the transactional some of the cons to transactional it's a challenge for OEM to manage many different versions of the VPN so you're an SME at the OEM and now you have to have for instance on your computer one CPG's got using Juniper and another CPG's using Pulse so you've got to have multiple VPN softwares if you will password management that can be problematic at times and consuming as well when an OEM is called for service their credentials may have expired or have been lost causing service delay so that takes time to get those back from an IT department and hopefully that they're working 24 seven rather than just eight hours a day from the pros to this though this type of VPN is very easy to use so just sign in where we add the next slide so here what we have is a direct VPN but we're adding what they call it converged network in the CPG site the benefits are definitely that it is more secure very expensive high-tea high IT level of skill required and the vendor adoption is also a risk as well so we'll go into the technical side you got a couple of vendors on the internet part of the zone and again they VPN in but what you see here now is that the enterprise is really broken down into what we call micro segmentation multiple VLANs firewalls DMZs are created and you can also talk across this network with the right IT skills put in place but we're creating roadblocks if you will with this this type of converged network so some of the attributes high IT again because of the converged network the OT skills maintaining whether that your firewall holes and policies in place is rather extensive the cost can be up front can be a lot it just in hardware and operating to as well but the reliability of this method is very strong and adds a lot of security to your infrastructure if you will and both on the OT and the IT one of the benefits one of the things that also the reason why we put four links or four locks on each one of these is there's a lot of upwards and downwards security built into converged network I'll go into the hardware required the Purdue model for industrial tutorial network design will involve hardware such as multiple firewalls externally and internally layer three switches and servers inside a DMZ there's a there's an elevated level of IT and controls engineering expertise to install and support this as well access restricted to appropriate network and equipment with vendor micro segmentation converts a large network into smaller networks even down to the equipment by using network tools such as software policies and LDAP routes and network security specific individuals and OEMs are allowed to access to any defined micro segmented area with DMZ servers vendors challenged downward like I said downward and upward roadblocks or virtual fences I think if you will are created with firewalls and v-lands so the next next attribute we have cell mode of access this is kind of a legacy technology if you will but it's very easy to do rather hard to monitor and it's very vulnerable if you connect that machine to your network basically it goes technical and what we mean is that you can see that there is a modem down there and connected to a machine but watch out you connect to that layer to switch your machine to your network that is if the firewall to your out to the outside world doesn't even exist you've created a hole in your network skills rather easy on both acquisition costs the cost of the modem operating costs is just your your monthly bill to your your wireless carrier but connectivity circumvents all security firewalls if the machine is connected to your network like I said it is now a hole behind your firewall connectivity high quality variable location of the modem may limit cell tower connectivity so it can be rather challenging sometimes and it's easy to connect so whether where these might even be used today though they still have their use the probably locations where equipment may be remote for example you don't have any kind of infrastructure to get out to say maybe a well pump station way out on your property or something there's just no way to physically wire to that so there's there's that they still have their use look to the next one so the black box basically it's a private cloud infrastructure and it's a device that is in the machine some of the benefits lower very low reliance on IT resources and the comm link can be made on demand password management or a lot of default passwords out there that are never taken care of and updating users same thing so we'll move to the we have a machine here we're showing a connection to the enterprise when but it can also be to the industrial control system so you can if you have a converged network but with the black black box basically this device it's most black boxes they call out to the internet and that's how they make their connection and it's allowed through your network it should look like just like web traffic we'll move to the next slide not a lot of IT skills required typically to install and operate acquisition costs are very low on the hardware and operating it it doesn't take any skills at all the reliability of the method is it's fairly strong because you start the conversation with inside your CPG going out to the outside world operational protection is it's pretty strong too as well because it's only allowed on the private side of this network that's created and business-wise too as well you're protected talk about the leadership guidance continuous connection creates vulnerable access again if the black box is being used for continuous data collection or management by the OEM this creates a vulnerable access to the machine in the network also password management OEM users sharing credentials like I said a lot of the OEMs are taking advantage of the black box for free cloud server account by sharing signing credentials the user management is now a threat the CPG really has no control over those OEM users most of the black boxes communication phone home server or to even a cloud server so most if not all black boxes have some sort of phone home to an OEM server or cloud server black boxes are not recommended for continuous but rather transactional so from a security standpoint black boxes should be inhibited always and only turned on at the time of need emergency troubleshooting data dumps or maybe software updates to this to the machine itself the business risk is low by allowing the CPG to control the enable of the device at their discretion and the communication originated with the CPG another benefit is some black boxes offered net network address translations so I can fit into the CPG network and only allow the OEM to see those permitted addresses the net allows an easier translation or mapping to a CPG equipment private private IP address so it fits into the network if you will finally the bad boy technician on site so we pretty much all use this it's it's pretty easy to do but there's a lot of compromised security with a technician on site which is the value in analysis here the first three are not even applicable to this but the operating cost they're very high and we'll go into that with the equipment downtime reliability of the method we only give it one link and that's because of the time it takes to get somebody to your site and protection there is no protection on your operational side maybe hopefully you've put some things in place for your business protection but when it comes to it equipment to get a technician to your site it takes time equipment down and the expenses of the technician equates to an excessive cost also did the technicians more than likely will need to connect to the equipment with their respective laptop therefore creating some vulnerability for the network their laptop could have some viruses on it and unaware to the CPG strict screening policies enforcement required so there should be something in your in your business there must be some sort of screening or outside equipment even outside equipment whether that be laptops or even old packaging equipment if it's being installed it may have some old malware on it that stuff should all be screened before being connected to your network some CPGs will not even allow outside laptops CPGs will need to have policies or solutions in place for these technicians to visit and but using the technician is still widely used especially during installs we still have to have that technician on site when you're doing your FAT and he's trouble shooting and doing run out installing that machine on your site finally that brings us to our last external management secured network so what we have here is kind of similar to what we just saw on the black box but there's this external managed secured network some of the benefits a very high level of security very easy to manage and I'll get into that a little bit requires a third party specialist provider so this this this is a third party that we're talking about so what we got here is on the CPG on the very right side and in between is the external managed secured network kind of a software network if you will service technician from an OEM can log into this network and based upon their credentials are able to get to the machine that's into the right the CPG there on the right also something to note here too is that the CPG similar to the black box they install boxes you see them there they can be individual to a machine those are highlighted in red there or say you have one OEM that might have three machines they can install a VPN green box if you will that can get to that network and the difference here is rather than the black box being inhibited on here these are connected all the time to that external managed secured network so move to the next one IT skills required so there's a lot of IT skills required here basically what you're doing is you've got two IT departments you've got your internal IT department and you've got this external partner there has to be and it is it is a an extremely trusted partnership that's required here so it to set up it takes some time OT is nothing more than a subscription to this external partner acquisition cost there may be some cost but for the black or for the boxes the reliability of this method is probably very robust and what I mean by that is that again all the equipment is connected to this external management and being monitored by them from an operational protection you've got your converged network infrastructure on the CPG side and you've also got this software converged network so the security on the operational and the business side is it is very high leadership guidance here similar to the black box not only can you have a CPG site conversion network but also the external cloud-based partner this is something new which has a software defined network it's it's very it's very similar in design only software managed the external managed secure network provider has VPN appliances boxes installed in the CPG site the IT user administration outsource like I said if you have a small IT department maybe maybe a couple of guys that are your IT Latin it this is something to partner with you're talking about an outside source that has expertise in this area so the external managed secure network partner has management control of the OEM connectivity based upon the CPG's permission and control to you you can set up your requirements reliability users it's always audited so your your your connectivity is always audited there are statistics that come with this evaluate the control of external access on a continuous basis based on the trusted partnership relationship the connectivity of the CPG site equipment can now be tracked continuously and this is this is something they and some of these external managed secure networks offer a multitude suite of tools that you can use I think that brings us to the end okay now we'd like to take some questions from our audience the first question is for Rob and this person wants to know what are the roles of engineering and IT in selecting and implementing a converged network a good question it seems like in in past experiences IT and control of engineering were two isolated departments that didn't work well with each other and IT's been around for 30 years working on even issues and this is really now come down to control of engineering that we're connecting all of our devices you've heard of Internet of Things and so it's really you've got to develop that partnership within your own company between the two departments to develop some of these standards it's just required in order to get this accomplished yeah I'm like yeah I'd like to add a little more color commentary to that I just returned from a from a conference and we're in the focus of the conference was digital transformation and as Robin just identified that the there's an absolute need of the IT and engineering and OT all working together in a sleep seamless way in order to fully take advantage of this transformation to a digital world and manufacturing is beginning CPG manufacturing is beginning in that regard but it really underscores the value here of this secure vendor access approach of having a dialogue both internally but also externally with your supplier partners okay our next question says can you use multiple methodologies at the same location Rob do you think you could take that one yes yes it's actually recommended to have the converged network to have all these different methodologies in place combining all of them just as roadblocks you're trying to create as many roadblocks for that outside external whether it's a state state or some sort of who knows person that's trying to infiltrate your your network viruses up and you want to try to create upwards and downwards security at the same time okay our next question is about insurance and it says since this involves risk management and cybersecurity how do you think the insurance industry will respond to these guidelines Joyce I'll take that one okay yeah I will and what I'd like to share with the audience is as we've been as the team the secured vendor access solutions group team has been developing this we've had a couple of opportunities to bring in experts subject matter experts from the insurance industry major carriers and also companies that represent who represent those carriers to to get their insights and understanding of how we are doing and how this is communicating and this is it's an emerging topic for sure the insurance industry has been very forthcoming and very helpful and have agreed to continue to help behind the scenes if you will to review some of these work products so I would say it's very much in alignment and I would think from a CPG standpoint communicating internally with your risk management folks and your CFO folks who interact with the insurance community to help bring them into the dialogue will be very very helpful well I'd like to thank Rob and Steve for a great presentation today on secure vendor access and I'd also like to thank our sponsor promoc and for the latest news about engineering and operations and food and beverage manufacturing and to view news about our upcoming webinars visit profoodworld.com thank you for attending this presentation and have a great day