How to manage cybersecurity risks at your manufacturing plant
Andy Kling is the vice president of cybersecurity and product security officer for the industrial automation arm of Schneider Electric and member of the International Society of Automation (ISA) Global Cybersecurity Alliance (GCA). At Schneider he’s responsible for numerous industrial control system and process automation-type product families across the company. His responsibilities are to ensure that Schneider delivers secure products, systems, and services, and that covers a wide variety of topics from standards committees to government influence and government involvement.
Andy talked with Plant Services Managing Editor Anna Townshend about cybersecurity issues for manufacturers and how his work at Schneider led to the creation of the GCA.
PS: What led into your involvement with the ISA GCA? And maybe tell us a little bit about the ISA and the GCA as well.
AK: Several years ago now, Schneider Electric was involved in a rather infamous cyber incident. Some colleagues of mine and I were sitting around one day saying, “We want to share what’s going on. We want to share it with the industry. We want to share it with our colleagues, the other OEMs, and the customers in this industry.” And there was no good forum for this kind of discussion.
So what we concluded is that we need an alliance, a shared forum. We need a way for us to come together because we all have a common interest here. We’re not competing in this space. We’re trying to share in this space. And that really was sort of the genesis, the birth of this idea about how this Global Cybersecurity Alliance should come together.
I have to say that other OEMs in this space and other customers immediately got it, and we were able to move forward quickly to get the Global Cybersecurity Alliance put together. And from there, I have to really give a lot of props to the Global Cybersecurity Alliance, their leaders, because they’ve taken the idea and didn’t just turn it into some sort of commercial venture but really taking the spirit of what we’re trying to accomplish here, this sharing and growth of cybersecurity together. There are real problems being solved, and they really helped drive it.
There are multiple directions that ISA GCA is constantly involved in right now, achieving some really important things at the international level. In the beginning, there were industry pundits who were asking if this is just another alliance put together for commercial purposes and downplaying the potential of this. But I have to say that we have exceeded everybody’s expectations and continue to grow and continue to be successful. Anybody reading here today, I really encourage you to think about joining the Global Cybersecurity Alliance because I think there are a lot of benefits for everybody.
PS: How long has this alliance been together?
AK: It was originally formed in 2018. I only know this because it’s coming up on dues time. But it’s been since 2018 that it’s been together. So we’re talking three short years, yet we have numerous documents and training courses and government influences, dealing with laws and regulations that are emerging from governments that we’re influencing.
We have the incident response solution, ICS4ICS. There are just so many things going on. And it all happened in three years. The mind boggles if you project forward into the future the next three years, the next five years, what we’re going to accomplish, what we’re going to take on as an industry and really try to solve.
PS: Cybersecurity is such an important topic these days, especially for industry. So where should facilities start? And what’s the most important thing facilities should be thinking about if they’re worried about attacks and where to begin?
AK: When I talk with my teams, when I talk at the industry level, what I talk about is what is the mission of cybersecurity? What are we trying to accomplish? And it comes down to a rather straightforward concept. Our job is to understand cyber risk, identify those risks and where they are, and then manage those risks. That’s really what, as cybersecurity professionals, that’s what our job is. Understand the risks, identify where those risks exist, and then manage those risks. So when you think about that, where do you start? What are some of the most important things we should be thinking about or worried about if we’re worried about cybersecurity?
The starting point is the human element. It’s your softest part of the attack surface. We all know that we’re constantly being bombarded with statements about understanding what phishing attacks are. And we probably all must take some form of annual training on cybersecurity, but the human element is going to be one of the most important starting points because that is where most attacks begin.
Once you get past that, once you feel like you have good staff in place, your staff understands cybersecurity and the risks, I would say that you need to move on to thinking about your plant, your business, what your attack surface looks like, what are you exposing to the world?
The 3 pillars of an effective cybersecurity program
Overcome the obstacles of network security in the age of IT-OT convergence
Fight cyberattacks and their impacts with a strong response plan
You mentioned the pandemic a moment ago and COVID. Everybody knows that that turned into remote access and a real stress on businesses’ ability to provide remote access to a workforce that was suddenly spread to the winds, so that attack surface grew. Really what I’m saying is understand your attack surface. Once you understand that, you’ll understand where it is you have to perform risk assessments, where you have to look to say, “I need to shore up in these areas.”
Perhaps you have a good strong remote access solution but your password management or multifactor authentication capabilities could be strengthened so that you have a stronger solution in that space, but you won’t know if you don’t spend time to analyze it and then assess potential risks.
If you’re worried about attacks, try to imagine an attack has happened, now what? Do you have an incident response program in place? Do you know how to go out and deal with an incident, identify that that incident is underway, and then deal with it very quickly? Or are you going to run around, panicked and start unplugging everything? Maybe that’s your response strategy and you’ve tested it and that’s good, but you should have a plan. You should know how you’re going to respond if an attack takes place.
In that category then is, do you have strong backup and restore procedures? Because one of the surest ways to deal with ransomware is to restore. Restore from clean backups. I want to be careful to say that because sometimes ransomware infects your backup systems as well. You have to make sure that you have good strong solutions in these places.
In summary, if you’re worried about attacks, think about the human element, think about assessing what your attack surface looks like so that you can make plans to continuously strengthen and deal with where you might be weak. Have a backup and restore solution and have an incident response plan. An incident response plan, by the way, that you’ve probably practiced in a tabletop exercise or two.
PS: How can factories utilize digital technology and still stay safe? What are some of the key areas that facilities should be aware of in regards to protecting their data?
AK: So first, there’s no doubt that IoT, IIoT, IT/OT convergence, however you label it, the speed of business today is accelerating to match the speed of the operations within their plants. There is zero doubt that there is real value in the way this works. To drive businesses in this fashion at the speed that they’re trying to run at now, they need to have access to operations data. And to do that, this is how they’re going to recognize the value. They’re going to be able to make decisions in a much tighter timeframe.
I’ve been in this industry a long time. I remember weekly reports on the old perforated green bar paper. Businesses would make decisions based on these weekly and monthly and quarterly reports. Those days are long over. We’re making decisions now sometimes at five, six second levels. The price of electricity changes every few seconds. Can you make business decisions based on the price of electricity, for example?
From a cybersecurity standpoint, we have a responsibility to help enable the business to have access to this data that we’re talking about. If the business has to have access to this data, then we have to have a strategy to secure that access. We as cyber professionals, we have to have a strategy. We have to think about how the data flows, how it moves through the system, who or what has access to this data, and then what our strategy is to protect that data.
And what I want to say is, if you don’t know how to do this, if you don’t understand your data flows, get help. Reach out to your IT department, bring in some external contract resource, but get some help so that you can understand how your data is moving around because that’s going to help define your strategy on how you have to protect this data.
This article is part of our monthly Automation Zone column. Read more from our monthly Automation Zone series.
And then don’t think of this as a single event; think of this as a continuous process, because it’s going to constantly be evolving and you’re going to have business peaks and troughs, and your data’s going to flow differently during the different seasons of your business, so think about that as well. Think of cybersecurity and the protections that you have to enact to protect this data as a continuous effort, constantly reassessing, constantly adjusting your plans.
PS: More and more facilities are adopting cloud storage versus on-prem storage. What kind of general guidelines should be in place to make sure that the cloud is safe for the business?
AK: So we’re talking about safe. We’re talking about secure for on-prem or off-prem storage. And like any platform decision that you make, these can be complex, complex decisions with complex questions. An on-premise database that is connected through remote access or some other means but doesn’t have good protections can be as dangerous as an unreliable cloud partner. The choice of the platform you make is going to depend on a lot of different factors.
Factors like cost and availability may be tangentially involved. If we just focus on the cyber aspects, you need to think about a couple of things here. You need to think about, if we’re making a decision about, do we go on-prem or off-prem for our data storage, ask yourself and give honest answers.
Are you capable of providing the necessary security 24/7 and 365 days a year? Are you capable of providing that necessary security to match today’s needs? And remember what I said a moment ago, you’re going to be constantly assessing and reassessing because the needs constantly are evolving as well. Just look back, two years ago, ransomware was very different than it is today. It’s a much larger challenge here today to deal with. Businesses need to adapt to that reality.
The second thing that you should be asking yourself is to think about data in a couple of different states. What I mean by that is your data is either going to be moving over a wire from the edge to the cloud or the edge to an on-premise data store of some sort. So that’s data in motion or data at rest. The data has come to rest in a database and that database could exist on-prem or in the cloud. If you think about these two states, now what you want to think about is how do I protect my data in each state?
In motion, we traditionally want to think about things like VPNs and secure networks. We think about encryption technology. But keep in mind that it’s not just confidentiality, you’re not just trying to keep your data from somebody else seeing it while it’s in motion. You also have to think about, did it get to the destination? Meaning availability. If you’re going to the cloud, do you have multiple connections to that cloud? Does your cloud partner have ways to failover servers in case they have hardware failures, which happen alarmingly frequently?
Think about these different scenarios and make sure that you’re taking into account more than just confidentiality, you’re taking into account the availability that I mentioned and the integrity of that data while it’s moving around on the wire.
For the other state, data at rest, you need to think there about some different strategies. Now that data is at rest. Attackers know where they want to go get this data. It’s stored at this location. It’s in a Microsoft SQL server or it’s in some other data store. And they’re going to devise their attack based on the reconnaissance and discovery of what your platform of choice is using.
So think about the scenarios, go through and understand what those threats are, and then build strategies around that. Again, this is one of those things that it sometimes requires a cyber professional to come in and help you walk through this threat analysis, to go through these risk assessments so that you can be confident that you’ve thought of the scenarios.
You can be confident that you know the TTPs (the tools, techniques, and procedures) that are being used by attackers today. You can have confidence that you have prepared yourself as well as you can. And as soon as you’re confident that you have done all of that, throw that out because it’s almost time to start reassessing again.
PS: Let’s talk a little bit about your work with ISA and some international standards that guide cybersecurity requirements and procedures. What’s most important for industry to understand about the IEC 62443 standard?
AK: I’ve been answering this question for many, many years. I personally am part of the workgroups that helps produce the 62443 suite of cyber standards. And the best and most simple explanation I can use is when you talk about cybersecurity with someone, it’s very difficult to pin down, what does cybersecure mean and how do you know you’ve reached a common point? How do you know you’re cybersecure? It’s one of those terms that are very difficult, very soft and squishy, and difficult to pin down.
Well, 62443, at least in the industrial control space, has taken on that and has defined what cybersecure means. We have spent time to say, if you’re a network device, this is what we mean by being secured. You have the following functions in place and you follow the following practices when you create a network device or a control device or a host. And so we have gone step-by-step and defined from a plant owner standpoint, how to assess your plants and build a risk strategy.
We have taken time to define, as OEMs producing the devices and the systems, the security controls that go into the devices. We have taken time to define how you securely deploy these solutions into the field. We’ve tried to imagine the entire breadth from the moment you conceive of the need for a product in a plant or a solution in a plant all the way through the birth of that product and the delivery of that product.
Even in some cases all the way through the end of life of that product. How do you securely dispose of say a control device that might have intellectual property stored in it? So 62443 embodies that entire breadth of thinking about what is cybersecurity through this entire lifecycle.
Now, 62443 isn’t done, it will never be done. Why? Because the world is constantly changing. Technology’s changing out from underneath us, and it’s forcing a different way of thinking.
We’re moving fast toward open platforms. Cloud has enabled IoT, IIoT. We have IT/OT convergence driving the movement of data from operations to business and back, so all of these things are changing the face of what industrial control systems look like. ISA 62443 as a standards body is also constantly evolving to meet these evolving needs.
Now the difference between ISA and IEC, ISA works on the standards and we take it out at the industry level and we modify it and agree as an industry, “This is what it looks like.” When we get to IEC, we use them to publish our standards. So they take it out to the countries and ask the countries, “Do you see this standard as usable in your country?” And so they come back and give us comments, and then the workgroups within ISA work on it further.
By the time we get through all of this process, we have ratified it across the industries. We have ratified it across the countries where there are regulatory agencies and controlling agencies looking at these standards. And so IEC then takes it to the world for us and produces the standard. On top of that, we have certification bodies that help us ensure that through third-party assessments, whether it’s plant delivery organizations, OEMs building products, whatever has been defined within the standard, it helps us assure that through a third-party assessment, we’re doing it properly.
It’s a great program. It really is a great program. Remember all the way back to the beginning of our conversation. I’m from Schneider Electric. What I say is we use 62443 as the canvas to paint our cybersecurity program upon. It underlies everything that we think about when it comes to cybersecurity.
PS: What does the future hold for cybersecurity and specifically for industry? Or what should facilities be looking out for in 2022?
AK: I would say that there’s probably four things that we want to pay attention to that’s going to help define where cybersecurity is going. The first is, we need to think about the supply chain. Cybersecurity doesn’t begin at the moment a piece of hardware is born, but it actually begins farther back when those components to make that hardware are resourced, then behind that, when the source code that was used to create those components that went into that piece of hardware was born. And so on.
Cybersecurity not only goes all the way back, but also all the way forward to the point where these components are being used in the field. If you think about supply chain, what do you want? You want transparency in the supply chain, so I think that that is going to be one of the big things that helps change. That transparency in the supply chain, we can start to think about faster response times to vulnerabilities. We can think about provenance when we get into worldwide geopolitical sensitivities.
There are a dozen different ideas that you get once you start to think about transparency in the supply chain, so I think that that’s important. I think that looking forward, we’re going to see the speed of attacks increase. This is purely driven by technology. I mean, obviously, attackers are driven by whatever drives them, financial, geopolitical, whatever. But you’re going to see the technology is going to help enable the attacks to go faster.
If attacks are going faster, then our defenses are going to have to be stronger, they’re going to have to be faster as well. We’re going to have to improve our cybersecurity responses to match those attacks, the speed of these attacks coming. I think that we’re going to get better at incident response. That’s the third thing that’s tied to this concept of transparency in the supply chain and the speed of attacks.
If the speed of attacks is improving and we can identify these attacks faster because we have transparency and what’s in our supply chain, we know where we’re vulnerable. Once we know we’re vulnerable, then we’re going to be able to look for these threats faster and identify these attacks sooner. Incident response is going to become more and more important for us so that we can deal with it.
There’s a term that’s emerging these days called SOAR, Security Orchestration Automated Response. And this term SOAR really is about if attackers are automating their attacks, can we automate our responses to these attacks? Yes, I know it sounds like a robot uprising, and in some respects, it is, but that’s really where things are moving, toward an ability to automate some responses in order to speed up defense. That’s the third area.
The fourth area we covered a little bit already, but I’ll just say it out loud: standards have to rise to meet the changing needs of cybersecurity. We have to have this common definition of what secure looks like and what success looks like when you’ve achieved that security level. The standards have to help us, and that’s going to be one of these things that continues to evolve, and everybody should be looking, participating in, and supporting these standards organizations because it is the backdrop to a lot of what we do in the cybersecurity space.
This story originally appeared in the January 2022 issue of Plant Services. Subscribe to Plant Services here.