The document discusses the importance of establishing a Secure Development Environment (SDE) to protect intellectual property from threats while maintaining innovation and productivity. It highlights the initial success of their SDE pilot, issues faced during scaling, and emphasizes the need for careful planning and a phased approach in future SDE implementations. Key steps for rolling out SDEs globally are outlined, including identifying critical assets and designing security tiers.

1. SESSION ID:SESSION ID:
#RSAC
Dawn Cappelli
A Worldwide Journey to Build a Secure
Development Environment
EXP-R02F
VP and Chief Information Security Officer
Rockwell Automation
Geof Storms
Director, Operations & Security
Rockwell Automation

2. #RSAC
Why do we need a Secure Development
Environment (SDE)?
2

3. #RSAC
Rockwell Automation
3

4. #RSAC
Why do we need a Secure Development
Environment (SDE)?
4

5. #RSAC
Why do we need a Secure Development
Environment (SDE)?
5

6. #RSAC
Why do we need a Secure Development
Environment (SDE)?
6

7. #RSAC
Introduction – Dawn Cappelli
7

8. #RSAC
Introduction – Geof Storms
8
Manufacturing engineer, 1985-1990
Program manager, 1992-1994
VP Operations & business development, 1994-1997
Director, strategic planning, CIO, 1997-2002
VP Operations, VP Technology & Process Development, 2002-2007
Business manager, Director Operations & Security, 2007-present
IDA

9. #RSAC
What is a Secure Development Environment?
The SDE is intended to protect our most
important Intellectual Property from
internal and external threats, while
minimizing the impact on our products’
innovation and time to market
9

10. #RSAC
Where to start?
10
1. Determined highest risk locations
where we do development
2. Identified high risk development
location in which management and
employees wanted to be our pilot
site
Your SDE employees should see the SDE as a good thing – this is where the
most important information in the company is being worked on!

11. #RSAC
The Right Way and the Wrong Way
Source: https://en.wikipedia.org/wiki/Gilligan's_Island Source: http://www.businessinsider.com/larry-ellison-yacht-racing-2014-10
11

12. #RSAC
The Right Way: Plan carefully
12

13. #RSAC
The Wrong Way: Jump right in!
X
X X
X13

14. #RSAC
How does this compare to creation
of a Secure Development
Environment (SDE)?

15. #RSAC
Initial SDE Pilot: A Success!
The SDE in high-risk locations
for high-value assets is
equivalent to a vault – primarily
preventive controls.
15

16. #RSAC
But then things went off track…
16
Source: RC Boat Magazine

17. #RSAC
Issue #1: Cost to scale
17

18. #RSAC
Issue #2: Impact to productivity
18

19. #RSAC
Issue #3: Erosion of controls
19

20. #RSAC
Issue #4: Lack of ownership
20

21. #RSAC
Course Correction Leads to Long-Term Success
21

22. #RSAC
What’s Next: Apply course correction to future SDEs
Source: markedsforing.dk/artikler/kampagner/vestas-race-we-must-win
22

23. #RSAC
New Discovery: One size does not fit all
23

24. #RSAC
Without proper planning it can be difficult to adjust
24

25. #RSAC
How does this compare to creation
of our second Secure Development
Environment (SDE)?

26. #RSAC
With proper planning it is much easier
26

27. #RSAC
Issue #1: A Different Threat Environment
27

28. #RSAC
Issue #2: Aging Infrastructure
28

29. #RSAC
Issue #3: Change Management and Training
Source: Brian Carlin – Team Vestas Wind
29

30. #RSAC
Issue #4: Collaboration Requirements
30

31. #RSAC
The Solution: Three Tiers of SDEs
The SDE in lower threat location
for high value assets is
equivalent to a fence –
primarily detective controls
31

32. #RSAC
Final Lesson Learned: Use a phased approach
http://www.b2bnn.com/2016/04/death-of-the-minimum-viable-product/
Use the Minimum Viable
Product concept for SDE phased
implementation
32

33. #RSAC
Current State: Rolling out SDEs globally
33

34. #RSAC
Apply: Action Plan
34
Step 1 • Identify your most critical assets
• Where are they? Who needs access?
• How do those organizations / people work together?
Step 2 • Will the vault, fence, and remote access tiers work for you?
• If so, design them; if not, determine what models you need
Step 3 • Choose a pilot site
• Get all applicable parties involved before you start
• Create a comprehensive plan
• Conduct pilot
Step 4 • Lessons learned, create a playbook, get it 80%
• Proceed to the next site

35. #RSAC
Additional Questions?
Please join us for our Focus On session from 9:15 – 10:00 am in
Moscone West 2024
35

36. #RSAC
Contact Information
36
Dawn Cappelli
Vice President and Chief Information Security
Officer
Rockwell Automation
+1 414-323-0404
dmcappelli@ra.rockwell.com
Geof Storms
Director, Operations & Security
Rockwell Automation
+1-414-382-0771
gwstorms@ra.Rockwell.com