In the ever-evolving landscape of industrial automation and cybersecurity, few voices carry as much weight as Kwame Zaire’s. With a deep background in manufacturing, a passion for electronics and equipment, and expertise in production management, Kwame has emerged as a thought leader in predictive maintenance, quality, and safety. His insights into the intersection of operational technology (OT) security and industrial systems are invaluable, especially as cyber threats grow more sophisticated. In this interview, we explore the significance of cybersecurity awareness, the vulnerabilities in supply chains, the impact of AI on industrial control systems, the importance of embedding security into safety lifecycles, the risks of open source software, and the evolving challenges of securing OT data.
How does the theme of Cybersecurity Awareness Month, “Building a Cyber Strong America,” resonate with you, and what does it mean for the industrial sector?
I think it’s a powerful call to action, not just for individuals but especially for industries like manufacturing where so much is at stake. For me, it’s about creating a culture of resilience—ensuring that every worker, from the shop floor to the boardroom, understands their role in protecting critical systems. In the industrial sector, a single breach can halt production or compromise safety, so building that strength means prioritizing education, training, and robust systems to guard against evolving threats.
What role do you believe Cybersecurity Awareness Month plays in helping both everyday people and businesses shore up their defenses?
It’s a crucial reminder that cybersecurity isn’t just an IT problem—it’s everyone’s responsibility. For everyday folks, it’s a chance to learn basic habits like strong passwords or spotting phishing emails. For businesses, especially in industrial settings, it’s an opportunity to reassess policies, train employees, and invest in protections. The month-long focus creates momentum, encouraging conversations that might otherwise get pushed aside in the daily grind.
Can you share some practical first steps a small company might take during October to boost their cybersecurity practices?
Absolutely. Start with the basics—conduct a quick audit of your current systems to identify weak points. Make sure all software is up to date, as patches often fix known vulnerabilities. Train your team on recognizing suspicious emails or links, since human error is a common entry point for attacks. Finally, implement strong access controls, like multi-factor authentication, to limit who can get into critical systems. These steps don’t require a huge budget but can make a big difference.
Turning to supply chain cybersecurity, what makes supply chains particularly vulnerable to risks like AI, geopolitical tensions, and quantum threats?
Supply chains are complex, with multiple vendors, partners, and systems interconnected across borders. This creates numerous entry points for attackers. AI can be used to craft highly targeted attacks, like deepfake scams to trick employees into sharing data. Geopolitical tensions can lead to state-sponsored attacks targeting critical infrastructure, while quantum computing, though still emerging, threatens to break traditional encryption. The sheer scale and lack of visibility in many supply chains make it hard to secure every link in the chain.
What are some actionable strategies a company can use to start protecting its supply chain from these cyber risks?
First, map out your supply chain to understand every connection and dependency. Then, establish clear security requirements for vendors—don’t assume they’re secure. Use tools to monitor for unusual activity across the network, and build redundancy into critical processes so a breach at one point doesn’t cripple everything. Collaboration is key; share threat intelligence with partners to stay ahead of risks. It’s about creating a unified front rather than leaving each link to fend for itself.
How can businesses strike a balance between maintaining efficiency in their supply chain and implementing strong cybersecurity measures?
It’s a challenge, but it starts with integrating security into processes rather than treating it as an afterthought. For example, automate security checks during transactions or data exchanges to avoid slowing things down. Invest in technologies like secure cloud platforms that enhance both speed and protection. Also, prioritize risks—focus on securing the most critical components first rather than trying to lock down everything at once. Efficiency and security can coexist if you plan strategically.
The rise of AI has been linked to increased phishing threats for industrial control systems. Can you explain how cybercriminals are using AI to target these systems?
AI is a game-changer for cybercriminals because it allows them to scale and personalize attacks. They can use AI to analyze vast amounts of data from social media or leaked records to craft convincing phishing emails tailored to specific employees. For industrial control systems, attackers might mimic legitimate operational commands or fake urgent maintenance alerts to trick operators into granting access or downloading malware. The sophistication of these attacks makes them harder to spot, especially in high-pressure environments.
Why are industrial control systems especially at risk from these AI-driven phishing attacks compared to other systems?
Industrial control systems often operate in environments where downtime is catastrophic, so operators are conditioned to act quickly on alerts or instructions. This urgency can override caution, making phishing more effective. Plus, many of these systems weren’t designed with cybersecurity in mind—they’re often older, with outdated protocols that lack modern defenses. Combine that with the fact that a successful attack can cause physical damage or safety hazards, and you’ve got a prime target for bad actors.
What steps can operators of industrial control systems take to stay ahead of these AI-based threats?
Training is critical—operators need to recognize red flags, even under pressure, so regular simulations of phishing attempts can build that awareness. Segment networks to limit damage if a breach occurs; keep critical systems isolated from internet-facing ones. Deploy advanced detection tools that use machine learning to spot unusual patterns in communications. And finally, keep systems updated and patched, even if it means scheduling downtime. Staying ahead means being proactive, not just reactive.
When it comes to the functional safety lifecycle, why is it so vital to embed cybersecurity at every phase?
If you wait to address cybersecurity until a system is operational, you’re already too late. Embedding it from design through decommissioning ensures that security is a core part of the system, not a bolt-on. Each phase—whether it’s risk assessment, implementation, or maintenance—has unique vulnerabilities. For instance, a design flaw could expose a system to attacks years later. By integrating standards like ANSI/ISA-61511 or ISA/IEC 62443 at every step, you reduce risks and ensure safety and security go hand in hand.
Can you share an example of how following these standards has helped a company avoid a major cybersecurity issue?
I’ve seen a chemical processing plant benefit immensely from adhering to ISA/IEC 62443. During the design phase, they identified a potential vulnerability in how their control system communicated with external vendors. By following the standard’s guidelines, they implemented secure protocols and access controls before the system went live. Later, when a phishing attempt targeted their network, the attack was stopped cold because the system was already hardened. Without that early focus, they could have faced a costly shutdown or worse.
For companies just starting to adopt these safety lifecycle standards, where should they begin to ensure their processes are secure?
Start with a gap analysis—compare your current practices against the standards to see where you’re falling short. Focus first on the risk assessment phase; understand what threats you’re facing and prioritize based on potential impact. Then, bring in training for your team so everyone understands the standards’ importance. If resources are tight, partner with experts or industry groups to guide implementation. It’s about building a foundation—don’t rush, but don’t delay either.
Looking at open source software, what do you consider the most significant security risk, and why does it stand out?
I’d say the biggest risk is lack of visibility into dependencies. Open source software often relies on libraries or components maintained by third parties, and if one of those has a vulnerability, it can ripple through your system. It stands out because many companies don’t even know what’s in their software stack—until a breach happens. Unlike proprietary software, where a vendor might push updates, with open source, you’re often on your own to track and fix issues, which can be overwhelming.
How can companies build security into their software design from the start when using open source tools?
Begin with a secure development lifecycle—vet every open source component before integrating it, checking for known vulnerabilities using tools like software composition analysis. Establish a policy for regular updates and patches, and only use components from trusted communities with active maintenance. Also, design with least privilege in mind; limit what each piece of software can access. Security from the start means fewer headaches down the line, even with open source.
What is your forecast for the future of OT cybersecurity as threats continue to evolve?
I see OT cybersecurity becoming even more intertwined with IT as convergence accelerates, which means both greater opportunities and risks. Threats will grow more sophisticated—think AI-driven attacks that adapt in real time or quantum computing breaking current defenses. But I’m optimistic about the response; we’ll see more automation in threat detection and response, and standards will continue to mature, providing clearer roadmaps. The key will be collaboration—industries, governments, and tech providers working together to stay ahead of the curve.
