Security awareness is through the roof in the manufacturing automation sector and executive buy in is vital for any kind of program to gain traction.
At the Schneider Electric’s Automation Conference, CONNECT 2016, in New Orleans in late May, Gary Freburger, president of the company’s Process Automation business, and Andrew Kling, director of cybersecurity and architecture, sat down with ISSSource Editor/Founder Gregory Hale to discuss cybersecurity issues facing the industry today.
ISSSource: Are you seeing executives being more aware of cybersecurity and are they starting to buy?
Gary Freburger: We see across the board a big shift in the attitude, and the discussions, and the approach. I will share a conversation I had with a customer. He said five years ago (the industry) was talking about cybersecurity as something somebody is going to do. The industry should pay attention to it and should be aware of it. But there was not a lot going on; customers were paying attention to it, but it wasn’t in front of their minds. When we talked to other folks and providers in the market and when we talked about cybersecurity, there really wasn’t a lot of substantive actions. Today, it is completely the opposite. Almost every discussion involves cybersecurity. What are we doing? How are we approaching it? What are we doing from a product standpoint? What are we doing from a systems standpoint? Every project we are doing right now, cybersecurity is part of the discussion. When I look forward, when we look at new greenfield type projects, it is a key part of the discussion. How are we going to make sure your product is secure? How do we make sure your systems are secure? How do they connect to our systems? How can we together make sure we have security overall? I think it has changed significantly in terms of the discussions, the attitude, and a lot of the offerings that are in the market today. But it still has a long way to go. There are some fundamental things that everybody is doing. But to get to a place where people are comfortable and they are secure, there is a long way to go. The customers we talk to recognize that as well, and the importance of it continues to grow as well.
ISSSource: Are they buying it?
GF:Yes. We have a consulting business that is continuing to grow for the past four or five years. Some of our major customers are looking to partner around a cybersecurity approach long term. From a product perspective, it is not fair to say they buy it, what is fair to say is they expect it. From a product level, it is not like they are saying I will buy this, plus I will pay for cybersecurity embedded in the product. That is what they expect. The discussion is about what are you doing, and how is it secure.
ISSSource: When you have a request for proposal out there, and usually the lowest bid wins, is cybersecurity included in on that proposal?
GF: It depends on the projects. We do thousands of projects a year – not a couple of hundred. It depends on what the customer is asking for. Is it a modernization? An upgrade or expansion? There are all types of things we do, where inherently cybersecurity may not be the first discussion. But in all of those discussions, the question is what have you guys done in terms of cybersecurity? What have you done in products and what have you done in process? When you talk about major expansions or greenfield projects, it is definitely part of the discussion and part of the proposal.
ISSSource:How does certification help in that regard? Are users asking for third party certification to ensure security is built in?
GF:It really depends on the customers’ security maturity and what they are trying to accomplish. When we tell them we have cybersecurity whether it be in a product, a system or at the development level, they will generally ask us how have we been certified. What it gives them is a baseline to be able to understand at what level we are certified. Frankly, most all of our customers have experts internally and they can assess it and say you are at a level one or level two depending on what agency it is, and here is what that means to us. They can then look internally and based on that, here is what else we have to do. From our perspective the more we put in, the less they have to worry about. But they still have a whole system issue they have to deal with. So, they are looking for some baseline, a relative third party; they look for those accreditations and there are maybe two or three worldwide.
Andrew Kling:Would you agree Gary that certifications also give us a way to have a common language with a customer when it comes to security? “Are you secure?” is a very imprecise question. “Are you certified to this security standard?” gives everybody a common reference point.
GF: Yes, and what does the standard stand for? That is a better way to say it.
ISSSource: A security person will come to an executive and say we need to budget X amount of money for security and he gets the funding for the initiative, but then he comes back later on and asks for more funding. Do executives understand security is not a onetime project, but an ongoing evolution?
GF: I would say generally yes, with the caveat you have to understand who in the organization you are talking to and what level. I also don’t think security is unique here. You talk about automation expectations, you can talk about a lot of things. If you are talking to a senior person in the organization, they generally know “here are the things we should be thinking about and here are the things we should be talking about.” Would they completely understand this is an ongoing process and there are costs involved? Maybe not. But they know enough to ask the kinds of questions that would lead them down that path. I can assure you, from our perspective, with the customers we deal with, there are people inside the organization that absolutely know this and understand it.
AK: I think we both agree the nature of cybersecurity is constantly evolving and it is evolving at a different rate than process control. That is what sometimes catches people off guard and that is because process control infamously evolves at a very slow rate and cybersecurity evolves at the rate of cell phone evolution. It is unbelievably fast how what was leading edge two years ago, was common a year ago is obsolete this year. In the cybersecurity space, we are constantly having to educate the customer of the constant nature of cybersecurity vigilance.
GF: I had an interesting discussion with a customer on the time differences between available systems and process automation. He had two different views. His first view was, “look I have a whole bunch of product working on Windows XP and it is not supported anymore” and he said “you guys should go to Microsoft and get extended support in the market.” We said that was interesting and we tried, but the expectation is with Windows they continue to upgrade and, as we would all expect, they all have the next level of cybersecurity in their system. He said on the other side, “if that is the case, why don’t you tie your process automation releases to Windows’ new releases?” That is a little difficult, you just can’t build it that fast. It evolves a bit differently. The automation business is not just a software business. There are a lot of things around it. Can we get closer? Yes. It shouldn’t be a two-year window, but it won’t be a three-month window either.
AK: Three or four years ago Microsoft announced they were going to an agile methodology. We saw the beginnings of this in Windows 8 and Windows 8.1 and Windows 8.2, where they put them out in pretty rapid succession, which was an indication of their agile approach to things. With Windows 10, they stopped. There will not be a Windows 10.1 or 10.2. It is a constant stream of every month and every quarter there are updates coming out. So tying it to a release is an obsolete term at this point. You can’t do it. We have to rethink our business model on who can support this constant evolving platform. Microsoft recognizes this and works with us, but on an annual basis we learn we have to update to the next step in the Windows line. The game is changing under us. Our embedded operating system vendor, Wind River, has done something very similar with the VxWorks operating system. There isn’t going to be a VxWorks 7.1, there is VxWorks 7 and a steady stream of patches and updates and feature adds and feature deprecation and that is how the lifecycle works now.
ISSSource: When a system is out there for 30 – 40 years, but then you hear about ExxonMobil’s move to go to a more standardized uniform process, how does that play into a secure by design model?
GF: It plays well into what we are thinking in terms of the way the industry is going. For sure, part of it will be around the whole cybersecurity discussion and how do they roll that into their next generation or upgrade process of how they manage their facilities.
ISSSource: The industry can’t keep going the same way it is going with systems up there for 30-40 years when you have technology changing that rapidly. Do you see that type of standardized uniform model occurring in the industry?
AK: The whole evolutionary path of being continuously current is what we are faced with all the time. Is it just a cybersecurity thing, or the whole system? Are they evolving at different rates? How does this work for our customers? I feel like cybersecurity is pulling the rest of the system along. The challenge we have is getting customers to understand there is a reason technology is evolving so fast. Yes, it has to do with money. Yes, it has to do with new features, but there is also the recognition the world is changing around that technology. And our process control systems and our cybersecurity systems, we have to keep up with the technology just to answer the realities of the world and the space we live in. Cybersecurity forces us to go forward. Cybersecurity can’t fix Windows XP, it can merely patch the most severe of the problems, but at the end of the day, Windows XP does not have the facility to resist today’s cyber landscape. Technology is going to get pulled into process automation because cybersecurity is leading the way because other technological trends are pulling it along. I worry about those customers that have the mentality of 30-40 years, or even 10 years. Just look back on the technology of ten years ago. The thin laptops, smart watches, the phones we carry. The technology is changing. Technology does bring value. But it is also there because there are value propositions it is bringing along.
GF: There is some level of risk from a customer’s perspective. What are those systems that are out there? How long have they been out there? But also, what are they managing? What are they controlling? What is critical? We see it is the most critical parts of the process and parts of the plant they are very keen on. As that risk level goes down, their sensitivity goes down. It doesn’t go away, but it goes down. They are very focused on what are the things I have to do to make sure I do not have significant issues. They have to do a good risk analysis to understand where the focus has to be. There are some places that may accept to leave a system out there for a while. That could be their choice.
ISSSource: Security has always marketed poorly where people focus on fear, uncertainty and doubt (FUD) and not on it being a business enabler that allows a company to keep systems up and running for greater productivity and greater profitability. Are executives thinking that way, or is it they don’t want their name on the front page?
GF: I think it is a mix of both. The business aspect of it is continuing to grow as they see the opportunities and, as Andy said, some of the cybersecurity demands are pulling the technology and they are seeing the benefits to it. But there are still a lot of folks who have the view of “Look– make sure my plant does not blow up and I don’t end up on the front page.” It depends on the level of what kind of facilities you are talking about.
AK: I think they are not that far apart. Keep my name off the front page and cybersecurity as an enabler, they are really stories about managing risk to the organization and managing the risk to my revenue stream and managing the risk to my corporate reputation. I think they are closely related.
ISSSource: There was always the thought of how can I get money for a cyber solution and if you go the business route that says you can keep the systems up and running so you can make more widgets, it may seem easier to get funding?
GF: We have a cybersecurity consulting group that started out just focused on our product and how can we help the customer. It is going very well and it has grown in several cases to plant wide consulting to our customer. In that case it is a benefit to us and it is a benefit to them. They see the opportunity because they see the benefit to being secure and they know they will be able to pull some productivity through. There are some cases today where that is happening and they are getting the business benefit. Is it their first priority? Probably not in most cases yet. But it will continue to grow. As it continues to grow and they see the value to it, let’s face it, at the end of the day, the most important thing you can get to a senior executive today is value. If you go to a senior executive and talk security, they say, “oh yeah.” But if you say I am going to save you $100 million. Now that is different. You have to look at what am I going to get out of this and that is fear, but it is also from a business perspective and how can I leverage this? I think it is moving very fast in the organization in terms of its level and importance in the organizations.
ISSSource: Moving over to a different subject and that is the supply chain, just how do you ensure a secure supply chain?
GF: I do like to clarify what is a secure supply chain. There are different types. If you go into critical power, when you talk about a secure supply chain, they talk about it a little bit differently. They talk about if you have everything secure from the time you start building a product to the time you deliver it to me. Not only the product itself, but the environment, the people, the transportation, the whole process. That is a very intricate process and that does exist today and there is a method to do that. I am an old aerospace guy and we used to do this 20 years ago. If you were doing some critical military work, you had to have the whole secure supply chain. It wasn’t so much focused on hardware as it was people. That was one secure supply chain. The other type of supply chain is how do we know as we buy components from all over the world, how are we assembling it all, how are we putting it together and how are we certifying the product is secure, is a little different. It is the processes we have for each one of them. Understanding how they build and what they do and when it gets to us, what are we doing for testing and verification. Which comes down to the accreditations we get as part of the process. Since we are not building everything, we have to make sure how all this got put together and how we are making sure it is secure.
AK: This is something we take very seriously. We have had a program for a couple of years of working through our vendors. As we have worked with them, we have found some uncomfortable things and we have worked with those vendors to correct them and we have even worked with some to put their own secure lifecycles in place. We are not 100 percent, but we are making solid progress. It is a very interesting area because if you step way back from the product and look down on it and count lines of code, there are operating systems from Wind River, there are operating systems from Microsoft, there are network OT protocol libraries we are buying from Triangle MicroWorks. What are all these companies’ processes they have in place because if the TMW DNB3 protocol code shows up on the Internet tomorrow, how does TMW react and how do we react? So working with each one of these vendors we are helping to put more processes in place to help them produce a more cyber secure product that helps us produce a more cyber secure product.
GF: That is one of the reasons why we have focused on the contemporary view of cybersecurity in terms of product, and testing and certification and also the process. We went after having a certified development process just for exactly this reason. We take it very seriously that you have to have both.