The Cyber Threats are Real – We’ve Got to Be Ready
Utility executives must understand that they’re at heightened risk, says Christophe Blassiau, Schneider Electric Global CISO
Creating data-driven, digitized platforms and business is at the fore-front of utility company’s agenda today. Rightfully so, as consumers do everything online, they demand the same of the companies who provide them a service. This requires converging systems and technologies, connecting everything – from information to assets. But the more you move your information and assets online, the more at risk you are from a cyber-attack.
I’m not talking theory here. The past few years have brought the threat into stark relief. We’ve seen an increasing number of attempts, both globally and in the Gulf, to target a variety of industries. Increasingly, hackers are attacking industrial targets.
They understand the amount of damage that can be done by taking a plant offline. These people aren’t amateurs; given the state of relations across the region, the assumption is that cyber threats will increasingly be associated with cyber warfare. Utilities across the Gulf are primarily state-owned. Utility executives must understand that they’re at heightened risk. And they’ve got to be prepared for anything.
But what should the Gulf’s utilities do to defend themselves? Where should they start? Here’s my three essential steps every utility leader in the Gulf should take.
View cybersecurity as a business enabler
There’s a misconception that the Chief Information Officer must be a cybersecurity expert. Being a company’s cybersecurity leader is not about being a cybersecurity expert, but rather about being a digital transformation advocate who can connect the dots within the company and its extended enterprise.
As a minimum, every person in the leadership team must understand the potential for being targeted, ask themselves what role they need to play in protecting the company’s assets, and frame digital risk in the context of a business-enabling conversation.
Whenever I meet with a utility company executive, I ask them, “What is the bottom-line impact of cyber threats to cost, continuity, and customer confidence?” By reframing the conversation in terms of what impact the hack can have on the business and customers, we’ll be able to focus minds on getting the resources and the support we need to better safeguard our organizations.
Widen the risk aperture beyond the perimeter
We have no perimeter anymore. Everything is connected, from the supply chain, delivery, and deployment of products and solutions, to customer sites and managed assets. This landscape is expanded by technology that connects everything, from people to process.
The online landscape is going to become even more complex, with 75 billion connected devices by 2025 according to Statista. And that’s not even taking into account the possibilities of the smart home, a concept in which utilities will play a major role.
From Information Technology to Operational Technology — and from our customers to our enterprise — the potential cyberattack surface is large and can be used at any step of the kill chain.
We, therefore, must adopt a layered approach to cybersecurity that tracks to the NIST framework with its five concurrent and continuous functions: Identify, Protect, Detect, Respond, and Recover.
Addressing every element of this broadened perspective requires an ecosystem of partners. This is why Schneider Electric is a founding member of the ISA Global Cybersecurity Alliance, as well as a member of Cyber Tech Accord and the Cybersecurity Coalition.
Such accords allow companies involved in automation to act as owners, to ensure a more secure approach for products and systems.
This also supports stronger international rules and coordinated diplomatic enforcement to restrain cyberthreats. Scaling the opportunities in the ecosystem with best-in-breed collaborators, including vendors and utilities, strengthens digital innovation.
For instance, Schneider partners with an OT infrastructure security specialist to secure factories, and uses an AI-based prediction and prevention software to reinforce our endpoint enterprise security.
Every business must continually take new steps toward strengthening the technology ecosystem with partners, customers, and governments, in order to strengthen security protection for all.
Adopt a “Cybersecurity by Design” approach
Cybersecurity by Design is not just about secure product development and delivery. It’s also a business process—an end-to-end mindset. Cybersecurity is much greater than a task or a step in a process – it is a continuous, always-on, proactive activity.
This holistic strategy includes people, processes, and technologies that integrate security at every step instead of downstream, which often is very late. Too late, in fact.
When it comes to the Secure Development Lifecycle (SDL) for products, think about the Cybersecurity by Design posture this way: if you find a crack in a building, you would have to go back to the foundation, and perhaps the design, to fix it.
Likewise, if you don’t consider product security in the beginning, you’d have to go back to the architecture itself — to the R&D whiteboard and supply chain — to address the issue and course correct. Imagine the challenges.
We continuously heed lessons learned to strengthen our cybersecurity process, and we share this collective expertise with our customers. As part of the SDL process, we embed security at the beginning as we develop IoT-enabled solutions.
Answering the global call for trust and security
Across today’s highly connected landscape, cybersecurity must become an inherent part of every company’s business culture, processes, and innovation.
Even for a company such as Schneider Electric, which is an expert in cyber security. Schneider’s posture is open minded and embracing the lessons learned while on our own digital transformation journey. I want to ensure that others can learn from our experiences before having to live their own.