Cybersecurity Q&A with ABB
According to a study by Inmarsat Enterprise that surveyed 125 businesses across the energy industry, 74% of respondents admitted that their processes to combat cybersecurity threats were lacking, while 73% of them reported that more could be done to protect against data mishandling.
However, despite recognizing the enhanced security threats of industrial IoT, just 43% have invested in new security technologies, and only 30% have partnered with security specialists for assistance.
How much is ABB planning to invest in new security technologies this year?
ABB is very committed to investing in new security technologies. Though, security is not just about technology. Equally important are people and processes. Therefore, we are heavily investing in resourcing cybersecurity expertise in the energy industries. ABB is consolidating its resources across areas of expertise to support cybersecurity globally. Our investment, as one of the more mature OEMs with long-standing expertise, is in headcount to ensure that our domain expertise is at least equal to our technology.
One of the best ways to remain cyber secure is to keep up to date and maintain environments. Our investment is around helping educate customers to develop the right security programmes, many of which involve third-party technology.
Our investments do not centre around the development of a next anti-virus solution. Rather, our core strength is in investing in how best to deploy an anti-virus solution within our reference design, using our strengths in domain expertise, collaborating with customers, developing kits and third-party tools, and enabling access to data in industrial controls environments to identify and analyse cyber security events. We do all this with the ability to do maintenance and managed services as part of our normal services engagement.
Any new acquisitions or new cybersecurity partners this year?
Yes, cybersecurity partnerships are a core foundation of our strategy and how we work with technology owners and customers. ABB is the integrator. We introduce and help technologies get into environments where ABB has long-standing, trusted relationships.
Our relationship with our customers is less about selling them a single product, and more about the value we can add from our expertise and the trusted integration of solutions. You can’t just introduce some of these tools into an operational environment and hope for the best. You can’t compromise the ability to recover or optimize resilience and availability. As the integrator, we can support the customer by building a business case, cost-modelling solutions, and providing industrial security controls that can be deployed at scale across environments.
Customers are looking for our ongoing support and expertise in cybersecurity. The best approach is for us to get people to act and begin to apply these new tools. As an example, reference designs need to be more validated. We are starting to look at validation capability to see that they work and how to instrument them optimally in our design for mass implementation.
The lack of relevant cybersecurity skills in the industrial is a big issue. How do you plan to fill that gap in the upcoming years? Do you plan to invest in cybersecurity programs at universities around the world? Or in internship programs in cybersecurity or more events like “Day of Shecurity”?
Cybersecurity has a real numbers problem right now, because there are so many empty jobs. 58% of companies surveyed in Kaspersky’s recent White Paper, “The State of (global) Industrial Cyber Security 2018”, stated “hiring ICS cybersecurity employees with the right skills” as their top challenge when it comes to managing their organization’s ICT.
There is also a need for increased diversity and to attract more women into cybersecurity, which has something of a gender perception problem. Currently men dominate the sector with women expected to make up only 20% of the cybersecurity workforce by the end of this year.
There are no easy answers on this issue. We need to look at supporting talent generation. To recruit via internship programs and from universities, but not only recruit but also infuse more around security in the university programmes to address the gap in cybersecurity skills.
What are your end user biggest concerns when it comes to cybersecurity?
What is important regarding cybersecurity is the impact on availability, resilience and safety. One concern to our customers is around plausibility and likelihood of a cyber-attack. We are focusing more on raising awareness of cybersecurity, by providing simple information that shows an organisation what their exposure to risk looks like. Creating a programmatic or capability approach to develop a program that will demonstrate what they can do to dramatically reduce exposure to risk is important.
Where we provide expertise and value is by helping customers with awareness that creates actions for them; educating them on industry trends; and helping them develop a strong incident response program. The risk is not so much about whether incidents will occur, but how you handle incidents if they do – including the importance of communication around a breach.
Cybersecurity for Oil and Gas Industry
In the last months, both the House and Senate have held hearings on the cybersecurity practices and standards that govern energy industry. From your perspective, do we need mandatory cyber standards for the oil and gas industry as well? Will more regulation make us safe from pipeline cyberattacks?
OEMs and businesses in the oil and gas industry need to align around strategies that apply security controls to the sector and will meaningfully reduce exposure to risk. The oil and gas industry should lead the way – the more we can self-regulate and demonstrate that we are adopting security controls and practices, as well as aligning and communicating standards, the less likely governments are to intervene.
Regulation is both a good and a bad thing. Government intervention is more probable when private industry isn’t being proactive. If industry professionals do not work together on this issue, we may instead be given requirements and advised what to do. This may be expensive, and less effective overall for the industry.
This interview was conducted with Rob Putman, Global Manager, Cyber Security Services, ABB.