Andrew Kling and Peter Martin of Schneider Electric explained how the company responded to cyberattacks, and best practices for rapid response.
TechRepublic's Dan Patterson talked with Schneider Electric director of cybersecurity R&D Andrew Kling and VP of business innovation and marketing Peter Martin about how to deal with cyberattacks quickly and successfully:
Patterson: Every organization, from SMBs to startups to enterprise companies, deals with the reality of hacking, but where do hackers come from, and what do they want? ... I wonder if we could start with some of the attack vectors and processes that organizations can follow to prevent cyber attacks. First, let's start with location. Location is everything in cyberspace, as well as in real space. How do we prevent location-based attacks, and why is location a threat vector?
Kling: Well Dan, that's a good question. When we talk about location, there's many different types of location that we might be taking into consideration here. In a particular part of the world where there's geopolitical sensitivities, geopolitical activities, [and] are we in a particular industry that we have to worry about, that's more prevalent to attack than others?
From a cybersecurity standpoint, we largely ignore some of the location aspects and focus instead on how do we protect our customers, how do we protect our devices. As we build our threat models, we try to take into account all the different types of advanced persistent threats out there, all the different types of threat vectors that exist. We have a very disciplined process that we follow to help us enumerate these threats, determine if our products are vulnerable, and then help our R&D organizations build many mitigations and ultimately help our customers employ these mitigations with their sites.
Patterson: How do we best identify various threat actors. Not just the known actors, but the unknown actors?
Kling: That's a tough one. How do you know the unknown? So really, it's not really about identifying who these future or current threat actors might be, it's about understanding the types of attacks that we might be vulnerable to. The types of attacks that are emerging. We see for example evolutions in AI technology coming on very, very fast here. We realize, well, AI has the potential of being extremely good for our quality of life and the products that we build, but ultimately this technology is going to be turned against us. So as cyber professionals, it's our job to start to anticipate this technology and how these technologies are going to then be applied to the attack vectors, attacking our devices looking for openings, and how we can then build the fences against what we anticipate.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
It's very much a game of understanding our product, understanding the attacked surface, and building the fences for these types of attack vectors.
Martin: Dan, if I could jump in very quickly just to put some context into this, Andy and I work in a world where we provide automation and control systems and safety systems in industrial operations. Very often the clients that we work with are oil and gas, chemical, pulp and paper, power. A lot of infrastructure. So when you start looking at the world of cybersecurity today and you look at the type of markets we're dealing with, some of the challenges come right down to geopolitical attacks as Andy was mentioning just a few seconds ago. A lot of geopolitical attacks are targeting infrastructure. Some of the infrastructure that we deal with are starting to be targeted, and they're being targeted through the systems. We've got a lot of experience at setting the fences up, as Andy says, and making sure that we're putting the protections in that our clients need to prevent even that level of attack.
Patterson: State actors are an incredible challenging threat, and I know that Schneider has been the victim of state actors. Did you learn anything that other companies could then learn from you about deterrence and after the attack best practices on recovery?
Kling: Yeah, I would say this is probably one of the key questions. One of the primary things that we take out of a situation like that, the lessons learned. Certainly, we started with trying to be as transparent as possible about what happens. We did not want to be sticking our heads in the sand and pretending like, "Oh no, this didn't happen it'll go away tomorrow as soon as the news cycle's over," but we wanted to confront it head on.
So yes, we learned lessons about how we handle this with our customer, how we handle it within the industry. Then we took a lot of that lesson, and we turned it back on ourselves, we turned it back into the product, we turned it back into saying, "How did this happen? How did we not understand this type of attack vector coming? How do we strengthen our product? How do we improve ourselves and our product?"
You often talk about the three things people process a product. How do we look at each one of those and decide, "How do we learn from this and carry it forward?"
Peter Martin: In a recent attack that we were involved in, it was a geopolitical attack to the best of our knowledge, the best we can frame it up, and the good news is our system product responded exactly as we had hoped it would. It shut down the plant before the attack had a chance to take root and that probably saved equipment and life and whatever else it may be, but our bigger concern as Andy was alluding to, is because the system worked, the industry may not take it as seriously as it really is.
SEE: IT leader's guide to cyberattack recovery (Tech Pro Research)
When you're dealing with geopolitical actions, my goodness, they have resources, they have money, they have talent, and we've got to take this seriously. So at Schneider Electric, what we're trying to do is help build a consortium of different industrial automation companies like ourselves, IT companies, and users to make sure that we're sharing best practices — that it's not just Schneider Electric. We believe we do a very, very good job with cybersecurity but we need to, as an industry, be able to do much better. We need to be able to communicate quicker, get the word out, make sure that all of our competitors, for example, understand what happened and they protect it as well.
Patterson: I think that's such an important lesson: Transparency in the event of an attack, and communicating with partners so that anyone and any company can be the victim of a cyber attack. Building that trust equity is so incredibly important to deal with insider threats, threats that come from inside the company.
Kling: So the question, how do you deal with insider threats? The standard cybersecurity response is something called partitioning. You don't create roles within the system that allow people ... insiders, people that have their functions within the system all access to the whole system. Of course, we guide our customers in this fashion.
We have cyber services teams that help our customers assess their systems, assess their risks, and help them devise strategies for this. At the same time, we also have to account for this. We have to think about how you deal with this and accept that this might happen. Where we often in cybersecurity are talking about, defend, defend, defend, how do we build defenses, we are also equally thinking about detect and respond. How do we detect that an attack is taking place before it goes bad, before things happen. As Peter mentioned, our safety system shut down when this attack was taking place. Now, how do we detect and take appropriate responses in a situation like an insider attack?
Martin: We often want to think about the cybersecurity aspects of what we do, because that's where all of the excitement is nowadays. But when you get to sites where our equipment is installed and sites where an attack has taken place, the physical protection is every bit as important as the cybersecurity protection. Locking things up, making sure that your programming terminals are locked away and they're only accessible by people that should be accessing them, because when you're talking about a geopolitical attack, a lot of those attacks have a lot of patience with them. People will wait a long time to make an attack happen, so we're working with our clients to make sure put best practice physical protection, not just cybersecurity protection, in place.
Patterson: I wonder if you could help us understand how information that's gathered from physical locations can inform cyber attacks. What types of defenses should companies think about with physical infrastructure?
Kling: That's a great question. Again, in the cybersecurity industry we talk about if somebody's able to probe your system, and start to try to extract out say, IP addresses or MAC addresses, the layout of the network. You want to prevent that data from getting out. That's called data exfiltration, so you want to build solutions that help prevent that kind of data from getting out.
Assuming that that data does get out, assuming that some of this information can get out, then you have to start to build in regular audits. You have to start to build in regular review of your system so that you can detect, if I say, "These IP addresses are the allowed four IP addresses," and suddenly a system appears with a new IP address, you need to be able to detect that. You need to determine if that's an intruder right away.
There's a whole subset of the cybersecurity industry that's dealing with this anomalous detection, this intrusion prevention. This is part of accepting that this information is extremely sensitive. You have to protect it, and if you can't protect it then you have to be able to detect when it's being used against you.
Martin: In a simpler sense, Dan, we build protections in, for example, to the systems we deliver to clients like key logs. Physical key logs right on the side of the equipment, and if those key logs are in the off position, there's no external penetration into the box. So when you engineer the system, you turn the key log on, you engineer it, when you're done you turn it off.
Something as simple as turning those key logs off can be a huge step forward in physical protection, and making sure those doors are locked. You don't want someone who's coming in from the outside to be able to walk in and be able to turn the key log on. When they do that they literally expose the system to all kinds of external threats. So, there are physical ways to protect these things that are actually built right in to the systems but they have to be handled correctly at the site.
Patterson: Yeah, physical security as opposed to simply digital security. Gentlemen, thank you very much for your time today. Last question for you. We know, and within the cybersecurity community, you know, the importance of defense, but how does a company convince decision makers and managers to make decisions that could look, on the one hand, like overhead, but on the other hand, are policies that could protect the company?
SEE: Information security policy (Tech Pro Research)
Kling: Peter you want to take this one first?
Martin: Yeah, you know, one of the things we've noticed over the years, Dan, is that our equipment goes in. It's not like PCs. Our equipment goes in and sometimes it runs for 15, 20, 25 years, and we continually work to keep as current as we can to make sure that the latest and greatest protection and defenses are built in. But if a client doesn't keep the system current, they can have a system that's running that's 15 years old; a system that actually was designed and implemented before 9/11/2001, when everything opened up. If they're not keeping current, we, as system suppliers, can do all kinds of great stuff to get the latest cybersecurity techniques in there, but there's an obligation on the side of the end user to make sure it's kept current.
Martin: Again, in the PC world, we usually go out and buy a new PC every two or three years, so you get the newest, but in the automation world, the automation systems last a long time so it requires a different approach. Andy?
Kling: This is a good question, I get it frequently. How do you help decision makers realize the importance of cybersecurity?
In cybersecurity, often you'll see cybersecurity sold or pushed as fear. Fear of the uncertainty, "The bad thing's going to happen, you've got to build cybersecurity." Well, I dislike that approach because it's not genuine, it's not honest. It's not taking a factual look at what's going on.
What we often recommend is our customers assess their risk situation, understand what their risk posture is from their own plants and their own installations, and then understand their own tolerance for risk. This is the language of the decision-makers. Risk and risk management is the language of that SEC-level person. So, if they now understand what the risks are, they understand what their risk tolerance is, then it should be clear whether they have something to do or not in terms of addressing cybersecurity risks. This is the story that I try to repeat over and over again.