Andy Kling is the vice president of cybersecurity and product security officer for the industrial automation arm of Schneider Electric and member of the International Society of Automation (ISA) Global Cybersecurity Alliance (GCA). At Schneider he’s responsible for numerous industrial control system and process automation-type product families across the company. His responsibilities are to ensure that Schneider delivers secure products, systems, and services, and that covers a wide variety of topics from standards committees to government influence and government involvement. Andy talked with Plant Services Managing Editor Anna Townshend about this important standard today, as well as other cybersecurity topics like where to start with your cybersecurity program, cloud security, and cybersecurity in the future.
PS: Why don't you tell us a little bit about what you do at Schneider Electric and how that led into your involvement with the International Society of Automation's Global Cybersecurity Alliance. And maybe tell us a little bit about the ISA and the GCA as well.
AK: I'm the vice president of cybersecurity, product security officer for the industrial automation arm of Schneider Electric. This means I'm responsible for numerous industrial control system and process automation product families across Schneider Electric.
My responsibilities lay in ensuring that we deliver secure products, systems, and services. Covering a wide variety of topics from standards committees to government influence and government involvement to driving our secure development lifecycle, so that we produce consistently secure solutions. To the second part or your question, about what led to my involvement with the International Society of Automation, ISA's Global Cybersecurity Alliance, that's a really interesting story.
Several years ago now, Schneider Electric was involved in a rather infamous cyber incident. Some colleagues of mine and I were sitting around one day saying, "We want to share what's going on. We want to share it with the industry. We want to share it with our colleagues, the other OEMs, and the customers in this industry." But there was no good forum for this kind of discussion. Yes, there are the ISACs (information sharing and analysis centers), which allow you to report upwards into government agencies and then they can determine how that information flows down and out. But there was no way for us to go horizontally across the industry. All we had, as Schneider Electric, was to pick up the phone and call our counterparts in the other OEMs in order to share this information.
So what we concluded is that we need an alliance, a shared forum. We need a way for us to come together because we all have a common interest here. We're not competing in this space. We're trying to share in this space. And that really was sort of the genesis. The birth of this idea about how this Global Cybersecurity Alliance should come together. Of course I have no doubt that many others were having similar thoughts.
I have to say that other OEMs in this space and other customers immediately got it, and we were able to move forward quickly to get the Global Cybersecurity Alliance put together. From there, you know, I have to really give a lot of props to the Global Cybersecurity Alliance, their leaders, because they've taken the idea and didn't just turn it into some sort of commercial venture but really taking the spirit of what we're trying to accomplish here, this sharing and growth of cybersecurity together. There are real problems being solved and they really helped drive it.
There are multiple directions that the ISA GCA is constantly involved in right now, achieving some really important things at the international level. In the beginning, there were industry pundits who were asking if this is just another alliance put together for commercial purposes and really sort of downplaying the potential of this. But I have to say that we have exceeded everybody's expectations and continue to grow be successful.
Anybody listening, anybody reading here today, I really encourage you to think about joining the Global Cybersecurity Alliance because I think there are a lot of benefits for everybody.
PS: That's great. What a great place for industry to share and come together. And how long has this alliance been together?
AK: It was originally formed in 2018. So we're talking three short years, yet we have numerous documents and training courses and government influences, dealing with laws and regulations that are emerging from governments that we're influencing.
We have the incident response solution, ICS4ICS. If you are unaware of the ICS4ICS program it is the result of the ISA Global Cybersecurity Alliance joining forces with the Cybersecurity and Infrastructure Security Agency (CISA) and cybersecurity response teams from more than many participating companies to adopt FEMA's Incident Command System framework for response structure, roles, and interoperability. It is a great example of so many things going on. And it all happened in three years. The mind boggles if you project forward into the next three years, the next five years, what we're going to accomplish, what we're going to take on as an industry and really try to solve.
PS: Yeah. Things are really moving fast. And cybersecurity, what an important topic these days, especially for industry. I think the pandemic has only increased its importance as well. And we've all heard all the horror stories about ransomware attacks recently and possibly even worse when you're considering critical infrastructure industries. So where does the industry start? What's your advice these days regarding cybersecurity programs? What's the most important thing facilities should be thinking about if they're worried about attacks and kind of where do they start?
AK: When I talk with my teams, when I talk at the industry level, what I talk about is what is the mission of cybersecurity? What are we trying to accomplish? And it comes down to a rather straightforward concept. Our job is to understand cyber risk, identify those risks, where they are, and then manage those risks. That's really what, as cybersecurity professionals, that's what our job is. Understand the risks, identify where those risks exist, and then manage those risks. So when you think about that, where do you start? Where do you find what are some of the most important things we should be thinking about or worried about if we're worried about cybersecurity?
The starting point is the human element. You know, it's your softest part of the attack surface. We all know that we're constantly being bombarded with statements about understanding what phishing attacks are. And we probably all must take some form of annual training on cybersecurity, but the human element is going to be one of the most important starting points because that is where most attacks begin.
Once you get past that, once you feel like you have good staff in place, your staff understands cybersecurity and the risks, I would say that you need to move on to thinking about your plant, your business, what your attack surface looks like, what are you exposing to the world?
You mentioned the pandemic a moment ago and COVID, everybody knows that that turned into remote access and a real stress on businesses' ability to provide remote access suddenly to a workforce that was spread to the winds, so that attack surface grew. Really what I'm saying is understand your attack surface. Once you understand that, you'll understand where it is you must perform risk assessments, where you have to look to say, "I need to shore up in these areas."
We have a good strong remote access solution but perhaps our password management or our multifactor authentication capabilities could be beefed up, could be strengthened so that we have a stronger solution in that space but you won't know if you don't spend time to analyze it and assess potential risks.
If you're worried about attacks, try to imagine an attack has happened, now what? Do you have an incident response program in place? Do you know how to deal with an incident, identify that that incident is underway, and then deal with it very quickly? Or are you going to run around, panicked and start unplugging everything? Maybe that's part of your response strategy and you've tested it and that's good, but you should have a plan. You should know how you're going to respond to if an attack takes place.
In that category is, do you have strong backup and restore procedures? Because one of the surest ways to deal with ransomware is to restore. Restore from clean backups. I want to be careful to say that because sometimes ransomware infects your backup systems as well. You have to make sure that you have good strong solutions in these places.
If you're worried about attacks, think about the human element, think about assessing what your attack surface looks like so that you can make plans to continuously strengthen and deal with where you might be weak. Have a backup and restore solution and have an incident response plan. An incident response plan, by the way, that you've practiced in a tabletop exercise or two.
PS: That's a great outline, I think, to give people an idea of where to start. Let's talk about data a little bit. We're really in a world where digital technology and data analysis is changing operations, improving operations, but this also brings some added security risks. So how can factories utilize digital technology and still stay safe, or what are some of the key areas that facilities should be aware of in regards to protecting their data?
AK: So first, there's no doubt that IoT, IIoT, IT/OT convergence, however you label it, the speed of business today is accelerating to match the speed of the operations within their plants. There is zero doubt that there is real value in the way this works. To drive businesses in this fashion at the speed that they're trying to run at now, they need to have access to operations data. And to do that, this is how they're going to recognize the value. They're going to be able to make decisions in a much tighter timeframe.
I've been in this industry a long time.I remember weekly reports on the old perforated green bar paper. The business would make decisions based on these weekly, monthly and quarterly reports that came out. Those days are long over. We're making decisions now sometimes at five, six second levels. The price of electricity changes every few seconds. Can you make business decisions based on the price of electricity, for example?
From a cybersecurity standpoint, we have a responsibility to help enable the business to have access to this data. If the business has to have access to this data, then we have to have a strategy to secure that access. We have to think about how the data flows, how it moves through the system, who or what has access to this data, and then what our strategy is to protect that data.
And what I want to say is, if you don't know how to do this, if you don't understand your data flows, get help. Reach out to your IT department, bring in some external contract resource, but get some help so that you can understand how your data is moving around because that's going to help define your strategy on how you have to protect this data.
And then don't think of this as a single event, think of this as a continuous process, because it's going to constantly be evolving and you're going to have business peaks and troughs, and your data's going to flow differently during the different seasons of your business so think about that as well. Think of cybersecurity and the protections that you have to enact to protect this data as a continuous effort, constantly reassessing, constantly adjusting your plans.
PS: I like that idea of the continuous process, no matter what it is, it's always changing. And I think as an example, more and more facilities are adopting cloud storage versus on-prem storage. So is the cloud safe? I think that's ultimately what everybody wants to know. What kind of general guidelines can you talk about that the facility should have in place to make sure that the cloud is safe for the business?
AK: We're talking about secure for on-prem or off-prem storage. And like any platform decision that you make, these can be complex. Complex decisions with complex questions. An on-premise database that is connected through remote access or some other means but doesn't have good protections can be as dangerous as an unreliable cloud partner. The choice of the platform you make is going to depend on a lot of different factors.
Factors like cost and availability may be tangentially involved,. If we just focus on the cyber aspects, you need to think about a couple of things. You need to think about, if we're making a decision about, do we go on-prem or off-prem for our data storage, ask yourself and give honest answers. Are you capable of providing the necessary security 24/7 and 365 days a year?
Are you capable of providing that necessary security to match today's needs? And remember what I said a moment ago, you're going to be constantly assessing and reassessing because the needs constantly are evolving as well. Just look back, two years ago, ransomware was very different than it is today. It's a much larger challenge today. Businesses need to adapt to that reality.
The second thing that you should be asking yourself is to think about data in a couple of different states. What I mean by that is your data is either going to be moving over a wire from say the edge to the cloud or the edge to an on-premise data store of some sort. So that's data in motion or data at rest. The data has come to rest in a database and that database could exist on-prem or in the cloud. If you think about these two states, now what you want to think about is how do I protect my data in each state?
Listen to the entire interview
In motion, we traditionally want to think about things like VPNs and secure networks. We think about encryption technology. But keep in mind that it's not just confidentiality, you're not just trying to keep your data from somebody else seeing it while it's in motion. You also have to think about did it get to the destination? Meaning availability. If you're going to the cloud, do you have multiple connections to that cloud? Does your cloud partner have ways to failover servers in case they have hardware failures, which happen alarmingly frequently?
Think about these different scenarios and make sure that you're taking into account more than just confidentiality, you're taking into account the availability that I mentioned and the integrity of that data while it's moving around on the wire.
For the other state, data at rest, you need to think there about some different strategies. Now that data is at rest, Attackers know where they want to go get this data. It's stored at this location. It's in a Microsoft SQL server or it's in some other data store. And they're going to devise their attack based on the reconnaissance and discovery of what your platform of choice is using.
Think about the scenarios, go through and understand what those threats are, and then build strategies around that. Again, this is one of those things that it sometimes requires a cyber professional to come in and help you walk through this threat analysis to go through these risk assessments so that you can be confident that you've thought of the scenarios.
You can be confident that you know the TTPs, the tools, techniques, and procedures, that are being used by attackers today. You can have confidence that you have prepared yourself as well as you can. And as soon as you're confident that you have done all of that, throw that out because it's almost time to start reassessing again.
PS: Interesting. Well, thinking specifically about the cloud, I was at a conference last week, and there was a lot of talk about the cloud. And the focus was really that now is the time for cloud. The last few years, people were really skeptical about it. There was a lot of questions. Cloud providers had to explain to people what the cloud was, whereas now customers are asking for it and they're searching out cloud solutions. Do you agree with that for the most part?
AK: Yes, I do. Even though I'm an older now, I'm not stuck in a paradigm that I grew up with. I recognize that today's generation is growing up with a piece of glass in front of them. You know, whether it's a phone or a tablet of some sort, but they have a piece of glass in front of them that is used as a window on the world. And they have no idea where the computing is taking place for all the applications that they're using or games or communications that they're using. They have no idea where this compute takes place.
It's becoming an accepted norm because this generation is growing up with it. The reason it's becoming an accepted norm is because it's getting more secure, because it's getting more reliable because the connectivity is improving all the time. You know, we've got 5G that's coming, that's even going to take another big step change in that connectivity. It is very easy to get connected to all of this now. That wasn't the case years ago.
And the cloud was a big unknown. But in pulling back the veil on what the cloud is and who the players are, and who the providers are, people are becoming more accepting. Now, I'm not saying that just because it's Microsoft or just because it's Amazon, or just because it's some other major cloud provider that you blindly accept that they do it right. I can personally admit that I've had people on my teams that have had Azure servers hacked because they didn't enable the proper security controls and they lost control of it.
Fortunately, it's in the cloud, you just flush it and start up a new one and do it right this time. And we learned a big lesson when that happened. What I'm saying is I think the cloud is here. I think the cloud is now. I think that the veil is being pulled back and people are understanding it better for what it is. And the value propositions are certainly very real.
If you're trying to run your business and you're going to have cloud extensions as part of your platforming strategy, understand who your partners are, understand what controls need to be in place. Just like if it was a platform on-premise.
PS: Well, let's switch gears, and we'll talk a little bit about your work with ISA. We do have some international standards to guide cybersecurity requirements and procedures, thanks to that group and their work with IEC, who is the International Electrotechnical Commission. Together, they created the 62443 standards. So what's most important for industry to understand about these standards?
AK: I've been answering this question for many, many years. I personally am part of the workgroups that helps produce the 62443 suite of cyber standards. And the best and most simple explanation I can use is when you talk about cybersecurity with someone, it's very difficult to pin down, what does cybersecure mean and how do you know you've reached a common point? How do you know you're cybersecure? It's one of those terms that are very difficult, very soft and squishy, and difficult to pin down.
Well, 62443, at least in the industrial control space, has taken on that and has defined what cybersecure means. We have spent time to say, if you're a network device, this is what we mean by being secured. You have the following functions in place, and you follow the following practices when you create a network device or a control device or a host. And we have gone step-by-step and defined from a plant owner standpoint, how to assess your plants and build a risk strategy.
We have taken time to define as OEMs producing the devices and the systems to define the security controls that go into the devices. We have taken time to define how you securely deploy these solutions into the field. We've tried to imagine the entire breadth from the moment you conceive of the need for a product in a plant or a solution in a plant all the way through the birth of that product and the delivery of that product.
Even in some cases all the way through the end of life of that product. How do you securely dispose of say a control device that might have intellectual property stored in it? So 62443 embodies that entire breadth of thinking about what is cybersecurity through this entire lifecycle. Now, 62443 isn't done, it will never be done. Why? Because the world is constantly changing. Technology's changing out from underneath us, and it's forcing a different way of thinking.
We're moving fast toward open platforms. Cloud has enabled IoT, IIoT. We have IT/OT convergence driving the movement of data from operations to business and back, so all of these things are changing the face of what industrial control systems look like. ISA 62443 as a standard is also constantly evolving to meet these the evolving needs.
Now the difference between ISA and IEC, ISA works on the standards and we take it out at the industry level and we modify it and agree as an industry, "This is what it looks like." When we get to IEC, we use them to publish our standards. So they take it out to the countries and ask the countries, "Do you see this standard as usable in your country?" And they come back and give us comments, and then the workgroups within ISA work on it further.
By the time we get through all of this process, we have ratified it across the industries. We have ratified it across the countries where there are regulatory agencies and controlling agencies looking at these standards. And IEC then takes it to the world and produces the standard. On top of that, we have certification bodies that help us ensure that through third-party assessments, whether it's plant delivery organizations, OEMs building products, whatever has been defined within the standard, it helps us assure that through a third-party assessment, we're doing it properly.
It's a great program. It really is a great program. Remember all the way back to the beginning of our conversation. I'm from Schneider Electric. What I say is we use 62443 as the canvas to paint our cybersecurity program upon. It underlies everything that we think about when it comes to cybersecurity.
PS: Great, thank you for that outline. I've heard some folks talking about 62443, in terms of being so important for establishing terminology around cybersecurity and giving the industry a common language that they really didn't even have in order to discuss some of these issues.
AK: Exactly. Your brain would fry if you sat through some of our standards meetings where we just argue the one term for weeks on end sometimes.
PS: Well, let's look toward our crystal ball a little bit. Cybersecurity, like you said, is changing so quickly. And I don't imagine that's going to stop anytime soon. So it's been a busy few years but what about the future? What does that hold for cybersecurity and specifically for industry? Or maybe what should facilities be looking out for in 2022?
AK: I would say that there's probably four things that we want to pay attention to that's going to help define where cybersecurity is going. The first is, we need to think about the supply chain. Cybersecurity doesn't begin at the moment a piece of hardware is born, but it actually begins farther back when those components to make that hardware are resourced, then behind that, when the source code that was used to create those components that went into that piece of hardware was born. And so on.
Cybersecurity not only goes all the way back, but also all the way forward to the point where these components are being used in the field. If you think about supply chain, what do you want? You want transparency in the supply chain, so I think that that is going to be one of the big things that helps change. That transparency in the supply chain, we can start to think about faster response times to vulnerabilities. We can think about provenance when we get into, you know, worldwide geopolitical sensitivities.
There are a dozen different ideas that you get once you start to think about transparency in the supply chain, so I think that that's important. I think that looking forward, we're going to see the speed of attacks increase. This is purely driven by technology. I mean, obviously, attackers are driven by whatever drives them, financial, geopolitical, whatever. But you're going to see the technology is going to help enable the attacks to go faster.
If attacks are going faster, then our defenses are going to have to be stronger, they're going to have to be faster as well We're going to have to improve our cybersecurity responses to match those attacks, the speed of these attacks coming. I think that we're going to get better at incident response. That's the third thing that's tied to this concept of transparency in the supply chain and the speed of attacks.
If the speed of attacks is improving and we can identify these attacks faster because we have transparency and what's in our supply chain, we know where we're vulnerable. Once we know we're vulnerable, then we're going to be able to look for these threats faster and identify these attacks sooner. Incident response is going to become more and more important for us so that we can deal with it.
There's a term that's emerging these days called SOAR, Security Orchestration Automated Response. And you know, this term SOAR really is about if attackers are automating their attacks, can we automate our responses to these attacks? Yes, I know it sounds like a robot uprising, and in some respects, it is, but that's really where things are moving. Towards an ability to automate some responses in order to speed up defense. That's the third area.
The fourth area we covered a little bit already, but I'll just say it out loud, standards have to rise to meet the changing needs of cybersecurity. We have to have this common definition of what secure looks like and what success looks like when you've achieved that security level. The standards have to help us, and that's going to be one of these things that continues to evolve, and everybody should be looking and participating in supporting these standards organization because it is the backdrop to a lot of what we do in the cybersecurity space.