The promise of the Industrial Internet of Things (IIoT) is no joke. Whether steel mill or beverage manufacturer or oil refinery, the benefits of connected operations—optimization, efficiency, profitability—are profound. But the threat that connectivity brings with it is no joke either.
“None of this works without cybersecurity. Everything we do, every R&D effort, the first thing we think about, the middle thing we think about, the last thing we think about is cybersecurity,” said Thad Frost, Foxboro DCS leader for Schneider Electric, during a press briefing about distributed control system (DCS) advances. “If cybersecurity breaks down, all this starts circling the drain.”
So cybersecurity was mentioned early and often in many of the discussions this week at Innovation Days, Schneider Electric’s Foxboro and Triconex user group meetings in Austin. The automation and energy management company has taken a leadership position in cybersecurity—highly involved in the development of the ISA/IEC 62443-4-1 cybersecurity standard and applying that experience to how it develops more secure products.
Part of the company’s excitement this week was over the certification it has received from TÜV Rheinland that its global Secure Development Lifecycle (SDL) process complies with ISA/IEC 62443-4-1. Focused on the process requirements for secure product development, Schneider Electric’s SDL practices cover everything from product conception through commercialization, relying on a user-centric approach that ensures everyone involved in the development process is personally responsible for the security of the company’s offerings. The certification warrants that cybersecurity is considered in every phase of the company’s product development process.
“This means that from concept through design, development, delivery, implementation, cybersecurity is considered right through the lifecycle,” says Gary Williams, senior director, cybersecurity services offer leader for Schneider Electric, noting that the certification is a testament to Schneider Electric’s commitment to security.
“The TÜV Rheinland certification shows Schneider Electric’s serious commitment to developing, delivering and maintaining secure products, systems and solutions, from smart homes and cities to the most critical operations,” said Thomas Steffens, regional business segment manager for TÜV Rheinland. “Certifying its SDL process to the ISA/IEC 62443-4-1 standard means Schneider Electric has further strengthened its development process to help its customers avoid and counter cyber risks.”
User responsibility
Though the SDL process is in place to ensure Schneider Electric’s products are as secure as possible, the supplier also emphasized throughout the week the importance of their customers taking the responsible steps necessary to maintain security within their plants.
“Cybersecurity, like safety, is a shared responsibility,” said Andre Ristaino, managing director for ISA Secure, during a panel discussion on cybersecurity. “The standards have 15 sections. Four sections are oriented toward suppliers and what they’re doing to make products secure. Five of them are specific to asset owners.”
As a founding member of the ISA Global Cybersecurity Alliance (GCA), Schneider Electric is adamant about its efforts to get all parts of the ecosystem working to recognize and consistently respond to emerging cyber threats. Launched in July, the alliance brings together end-user companies, technology and system vendors, IT infrastructure vendors, services providers, system integrators, and other organizations. Much of the focus of the alliance is on educating users and driving awareness about cybersecurity, advocating broad adoption of the ISA/IEC 62443 standards.
Williams likes to couch the cybersecurity challenge in terms of poachers and gamekeepers. The poachers are getting much better at what they’re doing. They can attack anybody anywhere. People are the biggest risk in any operation. “No matter what we put in place, there’s a human in there,” he says.
But the more the hackers manage to get through, the more industry can learn about how to better protect their systems. “We’re learning all the time,” Williams said during a cybersecurity panel. “There is no end game to this. The more people test from a poacher perspective, the better gamekeeper I can be.”
Getting people educated is the biggest hurdle to making plants safe, he added. So education is a big focus for Schneider Electric and for the GCA.
An important part of that is educating the workers on the plant floor about how to recognize cybersecurity incidents and how to know what to do in such a case. “They’re the first people that are going to know something is wrong with the plant,” Williams says. “If he’s cyber aware, he’ll stop and think: Could this be a cyber event?”
Plants need standard processes in place for cyber events. “There always a sign that says, ‘In case of fire, do XYZ. Why isn’t there an incident response next to it? Tell people how to do it. Stick it up on the wall,” Williams says. “People are the most valuable assets; they’re also your biggest risk.”
The alliance is progressing well. Announced at the end of July with six founding members, it now has 18. “This alliance not only brings in expertise from operations but also IT,” Williams says. “We already can see the value with different expertise by each one of the parties.”
GCA is still in its formative stages, but the ultimate goal is to be able to share knowledge, expertise, and experience for everyone’s benefit, notes Tom Clary, director of global communications for industrial automation at Schneider Electric.
“Everyone’s around the table. The fact that we started that is huge. I am really looking forward to the future and what we can bring to that,” Williams says. “There’s discussion around the table with peers around industry, and different perspectives help you come up with something that’s ubiquitous and valuable to everybody.”
An important aspect to the alliance, Williams notes, is an acknowledgement that most users work with more than one automation supplier in their plants. “Instead of Schneider Electric looking after Schneider Electric products or Yokogawa looking after Yokogawa products, we will cover cybersecurity holistically to cover all vendors,” he says.
“You guys have two or three members making up your facility,” Williams told a panel audience when speaking further about the alliance. “This is an alliance with the competition removed. We’re measuring cybersecurity for what’s the threat if you integrate two different vendor systems together. It is a paradigm shift. It’s definitely a plus moving forward, and I’m really proud of the fact that we’re working together.”
One of the next steps for the alliance is to reach out to government agencies in an effort to align standards in various regions around the world.
