According to Norm Judah, chief technology officer with Microsoft Services, the most popular topics in the industry, or what he labeled the "shiny thing in the sky", changes. Most recently, it's been big data. Now, it's the Internet of Things.
But the underlying problems with those morphing big shiny things remain, namely, security issues. As Judah pointed out during his Tuesday luncheon speech at ABB's Automation and Power World (APW) in Houston last week, many devices that exist today are problematic in this arena, and that problem doesn't appear to be improving, just getting more complicated.
"The scary thing about the Internet of Things is that it's wildly insecure and unpatachable," he told the audience.
What that means: All the positives that smart grid, interconnected tech, data sharing and smart devices can bring consumers and even industry insiders is overshadowed a bit by security fears and indecisiveness, unfortunately.
So how do we tackle those fears, roll up our sleeves and get started? Well, the first item on the agenda is realization: Just because you're hiding under a rock doesn't mean criminals and hackers are. They're evolving; they're planning. And those plans may include hacking into you. Heads in the sand is not the answer.
"We now have a more IT-focused criminal ecosystem," warned Patrik Boo, a product manager with ABB during the "What do you need to know about cybersecurity?" session at APW. "There are viruses out there, tons and tons of them, and they will wreck systems. There's no escaping that."
"Every modern business is evolving," added Tim Rains, chief security advisor with Microsoft during a Wednesday luncheon speech at APW. "Our evolving business means an evolving threat."
Communication and culture "hacks"
Part of the issue these days, according to Boo and co-presenter Eric Feldmeyer, global operations cybersecurity leader with DuPont, is that this merging of IT and OT has brought different priorities to a head. IT people look at confidentiality first, then integrity and availability. OT people, on the other hand, look at availability first, then integrity and then confidentiality, leading to competing agendas.
Boo and Feldmeyer caution that what has traditionally "always worked" for either silo will have to be adjusted for a blended one. If you take a traditional IT view of "three bad passwords and you're out," such strict adherence could lock an operator out an alarming system without much hope for a workaround.
So compromise and understanding each other's viewpoints remains key. After that, comes measuring the cost of security per issue and per benefit, along with choosing a corporate leader to champion the cause. Cybersecurity is, unfortunately, an issue that will take constant care and upkeep. So, communication between IT, OT and the corporate leadership cannot fall short.
"Security and privacy should be a top leadership concern," Rains pointed out during his speech.
Feldmeyer added that your chosen cyber leader on the corporate level needs access to your top brass, along with an ability to clearly express and interpret complicated engineering ideas. He or she should also know the system and the network you're working with and understand parameters, time constraints, personnel issues and other company insider bits and pieces. That is needed going in. What isn't needed going in? A knowledge of cybersecurity.
While that would be a bonus, Feldmeyer admitted that security knowledge could be learned. But the rest is fundamentally necessary.
What your cyber leader needs to know
So you've chosen your cyber leader. He knows the business, and he knows your systems. Now, what does he need to know about cybersecurity?
First and foremost: That we're way behind those crafty criminals.
"On average, a system is compromised 243 days before detection," Rains told a surprised APW audience.
Rains added that, if you assume you will be breached (or have been breached), there is some comfort in that. You've now given yourself permission to think of the whys and the hows, which that cyber leader with network and system knowledge can help with, and help communicate to the rest of corporate.
And while all the speakers who talked about cybersecurity at APW discussed the constant need for communication, they also all warned that you cannot wait for the security conversation to be "over" to start acting on the situation.
"If we don't tackle security right now with the Internet of Things, the legacy will not be smooth. We'll have devices with issues popping up five years from now, ten years from now," Rains added.
So, talking and action should both be immediate and constant when it comes to cybersecurity.
Markus Braendle, group head of cybersecurity with ABB, added that, as an industry, we also need to look at our lifecycles for technology when talking security. Deployment with security features makes for extended lifecycles and a better cost advantage over trying to retrofit systems.
And, as for those pesky compliance standards that we all discuss as lacking and that seems to come built in with the catch phrase "compliance doesn't equal security," Rains is on the bandwagon, too. He stated that compliance is "necessary but inefficient" and pointed out that "the bad guys have that checklist, too."
Braendle did note that regulations get people to move on the topic of cybersecurity, though. While he didn't say that those make people especially secure, he did see the positives of motivation with the cyber topic that having some regs on the books creates.
Feeling our way forward
All in all, the major theme of cybersecurity at APW was that, as Jonathan Pollet, founder and executive director of Red Tiger Security, stated in the "Cybersecurity: the present state and the future" session: "cybersecurity is a young practice."
In other words, we're all talking about this a lot because there's really not much history to work from. And we'll be talking about it in the future because it will constantly evolve, change, adjust and take new turns. Just get used to lots of talking when it comes to security.
Pollet admitted that there will be more stories on cyber breeches in 2015, and he added, pulling in Rains comment on days attacks go without detection, that it's likely those big stories from later in the year involve attacks that are already started and already worming through systems.
Pollet and his panelists (Charlie Hosner, partner of information protection and business resilience at KPMG, along Braendle and Rains) offered a few insights into what leaders, insiders and vendors should be talking about right now:
- Most plants, companies and utilities have problems with patching, sometimes being a year behind or more.
- Those same people tend to have weak firewall rules, no detection capabilities and few, if any, have ever done a rigorous cyber-themed review of their systems.
- Insiders are overly focused on demonstrating an ROI for cyber rather than thinking of it as managing enterprise risk.
- Too many insiders consider cybersecurity a "special" topic outside of the normal business conversation rather than blending it into everyday business talk, as it should be from now until forever.
- You have to clear out the noise and the emotion. Cybersecurity is just a business change.
- Through all of this, you're not in the boat alone.
Boo and Feldmeyer had some cybersecurity warnings as well:
- Remember (and communicate) that cybersecurity is not a "one and done" issue and will continue forever (as Pollet, Hosner, Braendle and Rains noted and which was a running theme, that "forever" thing).
- Don't buy into the myth of the air gap, which can be superseded rather easily with an item as everyday as a USB stick.
- Balance the added work of "whitelisting" against the benefits it brings you. (Is that upfront level of input too much for the value of that item or process?)
- Understand that all risks are not the same and learn to create a hierarchy (and then learn to adjust it almost daily).
In the end, while this new and painful topic of cybersecurity still causes a lot of fear and panic, what you can't do is go back to ignoring it. It's time to act. As Pollet put it so succinctly during the final APW cybersecurity panel, "What I advise more than anything is that we must stop surviving in the Jon Bon Jovi version of security "livin' on a prayer."
Kathleen Wolf Davis is the Editor-in-Chief of Intelligent Utility Magazine and can be reached at email@example.com. Twitter feed: @IntelUtil