Security awareness in the manufacturing automation sector is through the roof, but actually implementing a security program is another thing with issues related to legacy systems, aging out of the workforce, new technology compatibility and insurance.
On top of that, the message has to continue to trickle down from executive management that security, along with safety, is job one.
Peter Herweck, executive vice president for Schneider Electric Industry, and Andrew Kling, industry automation product security officer and senior director of system architecture at Schneider, sat down with Gregory Hale, Editor and Founder of Industrial Safety and Security Source (ISSSource.com) at the ARC Industry Forum 2019 in Orlando, FL, a little bit ago to discuss management’s role in cybersecurity. The following is part one of a two-part Q&A discussion:
ISSSource: There are a lot of people at the executive level that are aware of security, but they don’t know what to do next, what do you hear from your counterparts at the executive level?
Herweck: I would even go one level higher than the executives, I would go to the board room. The shareholders, with the board representing the shareholders, they are always concerned with the risks that are out there. While cyber has always been an afterthought if you go a couple years back, and later on was focused on the IT world, people have figured out all of a sudden this could have a substantial impact on operations. This could go all the way to shutting it down to also influencing it. Image if someone could come in and influence some parameters on some products you manufacture. If you were to paint a car and you find a way to manipulate the thickness of the paint and three years later you have painted cars with a different thickness, you really have a problem. So, with that, it has become obligatory for boards to question executives on where do they stand in respect to protecting critical assets. In respect for us, it is how do we support our customers and how do we make sure our customers are secure. These are real day and nighttime topics as we speak about digital transformation for our customers. It is the second question on the table.
ISSSource: How do you delegate ownership of the whole security issue?
Herweck: I think it is similar to other things you need to delegate as the person responsible. At the end of the day, you are accountable. So, you want to make sure you have processes in place that tell you how well you are secured. In that respect, it is difficult to have one KPI that can tell you, but we are intelligent enough today to understand how many attacks did we have and how successful were we in finding out. There are certain standards one can follow in the world of protecting your own production assets. I think that is what we need to do and also want to do in helping our customers. From a Schneider perspective we are looking at three areas: How can I protect my own company, how can I protect the products I am selling and how can I help the customer protect the installation they have, not only from a technical perspective, a procedural perspective and a people engagement perspective. It is technology, process and people that one needs to worry about. These are the three things we are trying to be crystal clear about in respect to responsibilities.
Kling: It is multi-dimensional. You ask how do you protect from having a potential gap in your cybersecurity coverage. If you say, you are responsible for this part of the plant, and you are responsible for that part of the plant. Opps, somebody forgot where these two parts of the plant connect. Yes, you have to have the people part of it, but you also have to have processes that help assess the entire plant from the outside in and from the inside out and go through the assessments where these things get caught.
ISSSource: Isn’t that the beauty of the IT-OT convergence where you are uniting two areas together where you can eliminate that schism?
Kling: You can eliminate a preconceived set of notions and a preconceived view of the world because someone is coming in with a different perspective. (When you hire a third party cybersecurity services unit), they don’t come in perceiving how the customers think the plant is run. They come in looking at it from an attackers’ standpoint. They are looking at the entirety of that visible part of the plant.
Herweck: I would take a little bit of a step back. I think with Stuxnet, people realized, oh wow, there is a totally new area in my operations I have never thought about. People pre Stuxnet did not think about cybersecurity of operational technology because usually they were islands. In previous jobs, we said to be totally secure let’s figure out if we have an island network that is not accessible from the outside. That is technically possible, but in theory the danger is the people that go in and work there. Stuxnet was implemented in that way. You just dropped a USB stick in the parking lot. With that, the operational space started to become aware. That was also about the time when we started talking about IIoT (Industrial Internet of Things). At the end of the day, it is IP addresses that invite people to come in. Sometimes it is not as simple as looking at some of the legacy systems and saying “ok, here is a Windows 311 and let’s upgrade this to the latest and greatest Windows version” and once you have done this you realize your plant is not running anymore. Because people coming from the IT world have done it and they have no idea on how it functions. It is important to have people come in that know how the plant functions and how some of the attackers think.
ISSSource: Now we have IIoT connectivity coming from everywhere, that should scare the daylights out of everybody on the OT side. Yes, the benefits are through the roof, but you also have the attack surface just increasing. How do your counterparts counteract the benefits versus the downside?
Herweck: I think they understand cybersecurity is a necessary expense where you have to mitigate risks you have. You have safety risks, you have cybersecurity risks, you have financial risks and you have economic risks. It shows up in the risk matrix of the customers so once you have identified it and quantified it and then you say what is my mitigation to it, then you can bring in people to support the customer and provide defense in depth analysis, plus necessary action plan, plus how is the journey continuing because it is a continuous journey that needs to go on. We see companies paying quite a bit of attention and it is one of our fastest growing business at this point.
ISSSource: Do your customers see security as a business enabler? If you are doing it right, it should allow your process and your system to be that much more resilient. If you are on top of your game, you will stay up and running and more productive and more profitable.
Herweck: There is a mixed picture. I think right now more people lean toward the eliminate risk side of things.
Kling: Cybersecurity is frequently not viewed as this is going to increase your revenue. Instead, it is viewed as this helps protect your revenue stream. It helps protect your ability to keep your business running to keep it resilient. That it is an appropriate place right now. If we can just get to that level right now, if we can get to the level of people thinking cybersecurity can help make your business more resilient. Eventually we can get to the point of it helps to increase the bottom line.
Herweck: There is no upside to having an intrusion. There is only downside. So, of course if people have an experience, they will see it as an increased enabler. If they have had no intrusion it is only protecting the downside.
ISSSource: People understand if they haven’t been hit, but do they understand they may not know they have been attacked?
Herweck: I think most companies understand, of course they have different understanding at different levels. Most companies we talk to they have their CISO or their chief cyber officer that really understand where there are. A lot of companies out there lost their jackets because they were not paying attention to their golden nuggets. Sometimes it is about stealing, sometimes it is about manipulating, sometimes it is about getting money out of it. There are a variety of different approaches to it. We have had espionage for a very long time, it is just the methods have changed. I think you always have to be aware of what people want to do.
ISSSource: At the executive level, what are their biggest fears? Is it loss of reputation, ransomware, terrorism, or all of the above, or is it just the idea they are not protected?
Herweck: It varies from customer from customer, but if they are stock-listed companies, it is about destruction of value. We have seen this in the consumer space where credit card data was stolen somewhere. It can be that intellectual property is stolen. We have seen from customers, when we are talking cyber it is a classified discussion because they don’t want this to be public. They don’t want it to become public that we have done a great project together to protect them because people may say why have they invested so much, have they had a problem before?
ISSSource: Will they confide in you they have been hit, or will they say we just have to do this?
Herweck: There is a variety of things. There are cases that are public where the customer comes to us and says here is something, can you help us? There are other things where it takes some time to find out this was not an accident where you got involved in doing something. Then there are others where sometimes it is a change in personnel where one chief information security officer gets replaced by another who looks at things differently.
ISSSource: Do you see insurance companies becoming more of a factor in the whole security question?
Herweck: Like any other insurance, if you engage in getting the insurance, they will handle the plan for you saying this is the area where you are insured and this is the area where you are not protected. From that perspective you want to make sure you are operating in the right area. With that the insurance takes a role of defining of how do you operate in the insured area. If you run a poor program, and who defines whether this was a poor program or it was run poorly, you will have the insurance on board. I think they do define how it is and that will determine if they pay out.
ISSSource: If you can prove to the insurance company you are doing the right things for security, could your premiums be lower?
Herweck: There are certain standards out there in the OT space defined by IEC. That is a standard one can lean against saying I am the customer, I am insured and I am staying within the framework of this standard.
Kling: The model you are talking about plays out elsewhere. You see it played out in cars. You plug this into your car and prove you are a safe driver and your premiums will go down. It is advertised on TV and they are marketing that approach. It is inevitable that insurance companies act as that agency of holding businesses accountable. There are other agencies accountable in verticals, like NERC and FERC that holds the power generation industry accountable where there are big fines possible. That is the stick approach. Ultimately there needs to be a carrot approach that acts as an incentive to prove you are cyber secure.