Ben Dickinson is Global Product Manager for Cyber Security at ABB. In December of last year, breaking news of the SolarWinds supply-chain attack moved cybersecurity into the top headlines, as news emerged that many U.S. governmental systems were at risk. Plant Services editor in chief Thomas Wilk had the chance to talk with Ben about the links between cybersecurity, energy efficiency, and physical safety in the age of COVID.
PS: My first question is about cybersecurity, but also about physical security. We seem to be living through a moment where physical security is pushing cyber from the headlines. If plants are not preparing for a worst-case scenario from a bombing attack via drones, as happened about a year ago in Saudi Aramco, they're also adjusting to this post-COVID world, where health and safety best practices are evolving quickly. So given these pressures, Ben, in your opinion, how are plants balancing their cybersecurity efforts with these new and more physical threats?
BD: That is a good question. I would actually push back on that question slightly. I think there is a perception that cyber is being pushed from the headlines slightly, but what I would say is that, from our experience, the number of cyber-attacks continues to rise year on year. And the impact of those attacks also continues to rise, whether that's safety impact, business impact, or financial impact.
We see lots of incidents, but there's no obligation for the owners and operators to disclose the incident. And it's quite a sensitive incident, that you have to be careful who you disclose to, and the focus is on remediating the issue. The incidents that you see in the media are often just a small percentage of the incidents that you actually see in the public eye. We know of many serious incidents that you'll never read in the headlines and for good reason, really. So, what I would do is say that cybersecurity is still a priority for many organizations. It's their number one risk, and it's something that they're dealing with every day.
What we're seeing is, still, an increased demand for cybersecurity support, whether that's continuing with compliance against regulatory requirements, understanding risk and how current climates and changes in environment changes the risk posture to an organization – how we do things differently to ensure that the risk stays the same, or how we can mitigate risks through new and innovative sort of technology and different techniques.
PS: That explains a lot for me because, at professional events, very occasionally, there'll be a question from the front to ask people to raise their hand, if they're able to, for anyone who has been impacted by cybersecurity risks and impacts. And at one session I was at, one out of every three people raised their hand, and they wouldn't have otherwise volunteered that information.
BD: That's right, and we see the same. If we talk to customers about their cybersecurity and if they don't think it's going to affect them, then they'll quite happily disclose the fact that they're busy, either assessing their cybersecurity and dealing with incidents large or small, and are working towards compliance and implementing security controls that meet their regulators requirements.
PS: Another issue that's top of mind for our readers is energy management. In your opinion, how are advances in cybersecurity enabling improved energy management by plant teams?
BD: Energy management is all about understanding your assets. It's not just about how much energy is being generated and consumed, but working out why you're using so much energy, how are you consuming it, and how you can consume it better. So, it's not just monitoring your energy usage – you're optimizing how you use that energy, how you generate heat, and how you store energy as well on your industrial site.
What this means is that you're connecting more of your assets together to collect valuable data, and this data becomes very valuable to the organization. Owners and operators need to consider the criticality of that data and the benefit to the organization. Should that data be corrupted or no longer available through the cyber-attack, then what would the implications be to the organization? What would the impact be?
It's not just an operability issue, it's an information security issue on that critical data. What ABB do is, they approach this by making sure that those digital solutions have cybersecurity embedded into them. We have minimum cybersecurity requirements for products, projects, and services that align with industry best practice, so that we can ensure that any products or projects that we deliver have been tested for security. An example of one of those requirements would be penetration testing on that technology to make sure that an attacker couldn't find a vulnerability and make it do something it shouldn't be doing.
PS: Our readers are primarily in the maintenance and reliability side of the organization. We have a healthy grouping of plant managers as well, and these teams are usually overburdened with the regular work of the day, PMs, predictive maintenance rounds. From your perspective, working with customers, how are these facilities teams and these maintenance teams managing any kind of new technologies that come with increased cybersecurity? Are plants increasing head counts and getting one or two cyber experts on board, are they more contracting with services teams, or is it a mix?
BD: It all depends on the resource capability that already exists within their customer base. This can differ quite a lot, but as a support service organization, we see increased demand for support services around our digital technology, so we couple the technology services that you get by using our technology with the support services to ensure that there isn't an extra burden on actually maintaining and operating the technology as well. For example, ABB’s energy management solutions can automate the process of reporting compliance against ISO 50001 on energy management, which otherwise done manually would be quite an onerous process for our engineers. So, what that means is that customers can see the benefits of the new technology, in digital technology, without necessarily increasing their headcount in order to maintain it.
PS: That's really interesting because sometimes I think that when it comes to cyber, these teams are concerned about learning enough to actually help mitigate the company's risk profile. Occasionally even the finance team will come down and talk to the reliability engineers or the reliability managers, and talk about, "Okay, how can your team through reduced downtime, help us improve our risk profile?"
BD: Yeah.
PS: Well, I have one more question for you today, Ben, and it's regarding big data and remote analytics. It's a bit of a buzzword right now among the maintenance community that a lot of things are going remote, due to the pandemic. What are one or two things that you would recommend to plant teams who are starting that journey for big data and remote analytics? And what are one or two things you'd recommend to teams who are already pretty well down that path, and would like to know what's coming next?
BD: I think the first question I would ask is, what does your architecture look like on the systems that you plan to digitize? If you are setting out on the journey of digitization, taking advantage of your data, the first thing you need to ask yourself is, if you're going to do it securely, is your system set up in a secure way to do it?
Establishing what's called a Secure Reference Architecture allows you to align with best practices and with international standards like IEC-62443, or the NIST framework for cybersecurity of Industrial Control Systems. And this ensures that your system is set up in a way where you can do things like restrict data flow, so once you’re getting data flowing in and out of your industrial networks, you're not bringing in cybersecurity risk as a result.
Also, the reference architecture leads nicely onto a set of foundational security controls that you would put in to reduce risk and ultimately reduce the exploitability of your system and the likelihood and impact of a cyber-attack. These foundational controls that we'd recommend include system updates, considering how to patch your systems, and keeping your Windows systems up to date so the latest malicious software that's developed or discovered on your Windows systems can't easily exploit your system. (They include) endpoint protection, whether that's antivirus software on your machines to detect known malicious software, or what's called application whitelisting, which is commonly suited to industrial systems because they don't change much – you create what's called a whitelist of known good software that's running on your systems, and then this whitelisting software will prevent anything else from running on the system also that may be malicious. A system backup is another foundational control to ensure that if a cyber-attack has an impact, you can quickly and safely recover your systems. The last control is around detection capability, some sort of tool or capability to monitor events going on in your industrial systems to detect activities that are outside of the normal activity for that system, and perhaps detect a malicious attacker on the system before causing an impact.
So, what I would ask before you set out on your digital journey is, what does the risk look like on those systems? What's the likelihood and impact of a cyber-attack on each of your control systems? And then as you start to design your digital solutions and your approach to implementation, how does that risk posture change and how can you mitigate it and keep it at an acceptable level? All of this, doing it, aligning with the best practices in IEC-62443, which is the international standard for cybersecurity of industrial control systems.
And the other thing that I wanted to point out was around how you set about a digital journey. So, what we often see is that people are asking the question, "Where should I spend money on digital?" And "What is artificial intelligence?" Or "What's machine learning, and how can we benefit from it?" Or "What dashboards would I like to see in energy management, for example, or asset performance management?" And I think that's jumping the gun a little bit. I think what you want to be doing is asking the question, "What is the problem that I'd like to solve, as a result of implementing digital where any other solution couldn't?" If you're already on that journey, I would be looking back and reviewing and saying, "Does my digital solution so far answer the question? Is it solving the problem that I want to solve as a result of a digital solution?"
In a recent study, we found that less than 20% of organizations have more than a third of the employees actually trained in digital, and trained in their digital strategy as an organization. But, more than 60% of our customers actually have a digital strategy, so there's a mismatch between customers in heading out on the digital journey, but not really taking their employees with them. If you're already set out on your digital journey, I also would look back and say, "Are my employees aligned with our digital strategy, and trained to understand it and sell it to their customers in the wider organization?"
PS: That is a fascinating disconnect. And it sounds like those organizations are inviting challenges related to digital and cybersecurity by not pulling the entire team along on the journey.
BD: That's right. Yeah. So, we find that it's very beneficial to, as we come up with technical innovations and develop our products with new capability, it's very important to communicate that capability and pull our employees along that journey along the way, involved all the time.