Patrick DolinyMarch 2, 2022
The Bang Energy Cyber Story: Industry 4.0 and the Role of Zero Trust Security
Sports beverage company Bang Energy was an early adopter of Zero Trust principles to secure its increasingly digitized global facilities and workforce, as well as a distributed network of third-party vendors and partners. Here’s how the company adopted Zero Trust security to keep its trade secrets safe.
Guest blog by Patrick Doliny, SVP of Information Technology & Cyber Security, Bang Energy
Industry 4.0, the fourth industrial revolution, is the rapid digitization of manufacturing. Organizations are connecting legacy infrastructure to the internet and smart devices that achieve more efficiency, automation and interconnectivity. It’s advancing operational technology (OT), speeding adoption of cloud-based services and expanding use of Internet of Things (IoT) devices. Industry 4.0 has also made systems inherently less secure.
At Bang Energy, that was one of our biggest challenges. As we’ve grown globally, it has, of course, been important to stay agile and invest in technology that scales operations. We’ve added new partners and expanded our distributed salesforce. Simultaneously, the prime objective is always ensuring our cybersecurity strategy safeguards our IT, OT and IoT systems so there’s no threats against intellectual property and brand value.
Since 2014, I’ve been a believer in Zero Trust security principles … well before the term started to gain traction. Here’s why we adopted Zero Trust and how we got started, including advice for other manufacturers or any organization balancing digital transformation with the ability to harden your security posture for now and the future.
Bang Energy’s OT security journey
When we think about OT security, we focus not just on our employees, but our partners, too. Bang Energy has built a global network of co-packers—vendor partners that produce our sports drink brand.
Co-packers’ facilities are massive manufacturing plants and, as Bang Energy partners, they produce our formula, our secret sauce. We need to make sure there’s governance in place so we can audit each co-packer for data protection. They need to demonstrate to us that operational excellence is in place before we give them the formula and a work order for 2 billion can lines.
On the manufacturing floor, whether we’re implementing machine learning or robotics, we’re also going to need support from an external vendor. We needed a way for those support teams to come into our network infrastructure in a very secure fashion and monitor and audit their use of data.
Governance has also been crucial for our salesforce. We’ve experienced a lot of growth in a short period of time. Our sales team worked remotely even before the COVID-19 pandemic but managing the security of a remote workforce has been crucial for most organizations even beyond manufacturing.
We’ve also invested heavily in software as a service (SaaS) and cloud-based solutions, which can be difficult to manage. How do you manage the appropriate access? How do you prevent data leakage?
New processes are being automated as we modernize our operation, which means different applications and services have to talk to each other and share data. There’s a lot at stake as we plan out how this digitization takes shape.
Benefits of Zero Trust securing OT
As we’ve continued to digitally transform, we took a top-down approach for our cybersecurity strategy. Instead of the traditional “trust and verify,” we wanted to “verify and trust.” That’s why Zero Trust security is so important to supporting our strategic pillars and advancing the organization while improving our risk posture.
If an attacker breaches a system and can move laterally, everything from an organization’s intellectual property to OT controls are at risk. That’s why Zero Trust security was the key for us, to ensure our brand is as secure as it can be and limit lateral movement.
The most obvious use case was making sure our network access was secured by a software-defined perimeter (SDP) solution, because VPNs don’t protect industrial controls very well and we have a sales team to consider, too.
We were very agile in adopting SDP, which was an easy win as the company grew. Constantly onboarding (and sometimes offboarding) individuals with multiple connections on mobile phones, tablets and laptops is a complex operation and doesn’t fit neatly into a physical perimeter.
It didn’t stop there. We have managed policies for all our SaaS applications to prevent or enable access based on the individual. Adopting Zero Trust is more than just a vision; it’s a policy driver.
Advice for adopting Zero Trust Network Access
One piece of advice I received years ago still rings true: You must be intentional about your approach to Zero Trust security. That advice was specific to the architecture, but what I’ve done is take the same approach and made Zero Trust a policy driver.
Coordinate with the leaders in your logistics and supply chain departments to understand where all the potential big data resides outside of your traditional IT. You must understand where the pain points are in logistics and supply chain, and that may be new to some security officers as it was for me.
Do your risk analysis and work with risk managers and officers to understand where all those pieces are and be intentional about your Zero Trust approach as a policy driver, as well as the architecture for your organization. When we partnered with Appgate and moved to Appgate SDP, its Zero Trust Network Access solution, we went back to the basics and that helped get us to where we are today.
Listen to Patrick talk about on Industry 4.0 and Zero Trust security on the Zero Trust Thirty podcast here.
About Patrick Doliny, MBA, Lt. Col. USMC (Ret.)
SVP of IT and Cyber Security, Bang Energy
Patrick has a proven track record as a successful C-Level strategist in start-up, government and major corporations. Leading change and delivering sound solutions that produce bottom-line results, he's a visionary and avid evangelist of information technology and cyber security. As a recognized leader in strategic planning, product development, leadership and development, functional IT transformation, globalization and cost containment, he's a negotiator who excels at building consensus and achieving buy-in from diverse stakeholders.
Patrick served honorably in the United States Marine Corps retiring at the rank of Lieutenant Colonel. In the military, he received the highest commendation having served with the North Atlantic Treaty Organization (NATO) and was awarded the Meritorious Service Citation, the Commander's Medal for Public Service, and the Navy Cross.