There are around 20 billion connected IoT devices in the world. By 2030, that figure is expected to at least double. It’s an incredible statistic in terms of the pace and capability at which objects, machines and infrastructure support vital industries. It begs the question: how do we secure a rapidly proliferating digital landscape in an industrial operational technology (OT) environment? Particularly one in which just a single software cybersecurity vulnerability can bring people, companies, and industries to a standstill. It can have broader societal implications, and cause billions of dollars in revenue loss and business recovery.
For a global industrial technology leader like Schneider Electric there are few more important considerations. It provides energy and digital automation and industrial IoT solutions for customers in homes, buildings, industries, and critical infrastructure. The company serves 16 critical sectors. It has a vast digital footprint spanning the globe, presenting a complex and ever-evolving risk landscape and attack surface. Cybersecurity, product security and data protection, and a robust and protected end-to-end supply chain for software, hardware, and firmware are fundamental to its business.
Software Supply Chain Security
Which is where Cassie Crossley comes in. In Crossley, Schneider has a leader of vast experience in cybersecurity in IT and product development. Including years of business and technical leadership at major organisations such as McAfee, Lotus, IBM, and HP. She has – quite literally – written the book on securing the supply chain. “I had to write it; there’s many challenges and huge complexity both for the software and hardware manufacturers and the asset owners. I felt it was a subject that just wasn’t being talked about as much as it should be.” Crossley’s book is titled Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware. A self-penned bible for any organisation serious about improving the security posture of its products.
“For us, supply chain security means taking a holistic approach and considering every aspect from the beginning to the end of the entire product lifecycle,” she explains. “That means product lifecycle security – we build, supply and manufacture our own products. But also use third parties components so we’re responsible for the upstream supply chain too. It also involves SBOM, source code governance, the security and the risk management of the manufacturing process and facilities we use. The security of our products will become part of larger systems. So there is ongoing work we do with customers through our field service engineers. Transversely, we also consider vulnerability management, cyber defence, incident response, and the various policy work I carry out with government organisations.”
Preparing for Cyber Threats
Cyber threats are evolving at an unprecedented pace, with attacks becoming more numerous and frequent. The threat is rising for operational technology in critical infrastructure. Companies in sectors such as energy, water and wastewater, transportation, healthcare and emergency services, chemicals, and food and agriculture face several key risks. These include the ever-widening attack surface as a result of digitalisation and greater connectivity. In a single digital factory, for example, every one of potentially thousands of connected sensors is a possible target and entry point for hackers.
Securing Critical Infrastructure
Elsewhere, legacy infrastructure and ageing assets developed decades ago requiring challenging ongoing maintenance. Updates are weak spots in a network, and companies face targeted attacks on unique weaknesses. These are complex and expensive to defend against. In addition, the OT environment is particularly exposed to third-party risks including vendor access that, even without malicious intent, pose significant risk.
“From a critical infrastructure perspective, one of the big challenges is that the defence posture of the base can vary,” says Crossley. “We believe in something called ‘secure by operations’, which is similar to a cloud shared responsibility model. Nation state and malicious actors are looking for open and available devices on networks. Operational technology and systems that are not built with defence at the core and not normally intended to be internet facing. The fact these products are out there and not behind a DMZ network to add an extra layer of security presents a big risk. It essentially means companies are accidentally exposing their networks. To mitigate this we work with the Department of Energy, CISA, other global agencies, and Internet Service Providers (ISPs). Through our initiative we identify customers inadvertently doing this we inform them and provide information on the risk.”