Recent attacks on safety systems across multiple industries have proven that cybersecurity is no longer just a company problem to be managed internally by an IT team. The risks do not discriminate by department. In fact, the scale is now much broader than any single organization or industry—cybersecurity is a global problem in need of a global response. Steve Mustard, an independent cybersecurity consultant and the incoming 2021 International Society of Automation (ISA) president, was recently invited to speak with the Strategic Account Management Association (SAMA) as part of a podcast episode on cybersecurity.
Listen to the audio recording below to learn about some of the latest industry challenges and how you can ensure that your company and its partners are protected. We've also provided the transcript if you prefer to read the interview instead.
Harvey Dunham for SAMA: It's my pleasure to be speaking with an expert from the International Society for Automation, Steve Mustard, who's an expert in cybersecurity. Steve, welcome. It's great to be speaking with you, and I look forward to the conversation we're about to have.
Steve Mustard: Thank you, Harvey. I'm very happy to be here. I'm very happy to discuss cybersecurity with your members.
Harvey Dunham: And Steve, would you just give a brief introduction about yourself so they know a little bit about your background and how you earned your stripes in the cybersecurity world.
Steve Mustard: Sure. I've worked in industrial automation and real-time embedded systems for 30 years, space defense and then energy and utility companies. In the last 12, 15 years, cybersecurity has become a big issue in industrial control systems. And as a result of my background, I've gotten heavily involved in that side of life, and I've spent a lot of my time these days consulting with asset owners about how to improve their cybersecurity posture in their mission-critical facilities.
Harvey Dunham: As I understand it, this actually goes outside of just industrial plants, doesn't it? I mean, it can spread into more of the, if you will, commercial sectors, as well, can't it?
Steve Mustard: Absolutely. Yeah. Cybersecurity affects everyone in every sector of business today. And I do tell customers that I work with that it is only a question of when they will be subjected to a cybersecurity incident, not if they will be. And the level of preparedness of the organization is the thing that makes the difference between how serious that incident is for them.
Harvey Dunham: That gives me great context to give our audience, the SAMA audience specifically, a little bit of an idea of why this is such an important topic for strategic account management, because we're seeing the trend across industries; it doesn't matter if you're in logistics or healthcare or industrial, there’s a movement towards digitizing existing products or wrapping some kind of a digital envelope around them. I dare say almost everything that SAMs are selling has a digital element, and because of that, anything that you're selling that goes into a customer's place of business can be introducing significant risk to it.
It’s important for SAMs to be aware of what cybersecurity is, aware of what those risks are and what they need to do to protect their customers and their own company to the extent that they can. Because they're the catalyst when a new installation or a reconfiguration or other change is happening in a customer site. And the more they can do to anticipate and prepare the customer and their own company for this, the more successful the installation, reconfiguration or other change is going to be in the long run.
Steve Mustard: Absolutely. What you just said is really important, and it's an area in the cybersecurity world where suppliers and customers still today don't necessarily have a very good appreciation of, which is that there is a supply chain involved in any organization that involves multiple vendors, multiple suppliers, different products, different solutions and the customer somewhere in there. And there's an assumption that someone else is taking care of cybersecurity somewhere. Yet, as you said, pretty much everything in the operation these days is digitized in some way. And there's a heavy reliance on that digitization. If it fails, then the operation fails. The business fails. They're unable to produce what they're making. They're unable to deliver what they need to deliver. They're unable to fulfill customer requirements. So this is a serious impact on any organization, and SAMs have a big part to play in that, both in terms of making sure that they understand cybersecurity risks and in terms of helping their customers understand cybersecurity risks as well.
Harvey Dunham: Would you give us a better idea of what successful cybersecurity is and the kind of impact it can have on a company?
Steve Mustard: Cybersecurity is really all about an attacker—and we'll talk about those in a moment—exploiting some vulnerability in an organization. And vulnerability is a term that can be interpreted in different ways. But in this context, we're talking about a flaw, usually in software or hardware. Think about it like a hole in a boat. If you've got a hole, there's going to be water coming into the boat, and you're going to eventually sink if you don't do something about it, which is plugging the hole. The difference with vulnerabilities in software is that they're not usually visible, like a hole would be.
So, that Microsoft, for example, provides Windows operating systems. And there are flaws in there. People make mistakes when they're programming it, and then other people discover those mistakes and exploit them even before Microsoft is aware that there is a problem. That is when your potential for getting attacked is increased, because someone is using that "exploit," as we call it, this piece of code that allows them to get through that vulnerability to steal your personal information. Or they get access to your computer so they can do other things on the computer.
And the biggest problem we have really is that we all in the industry recognize that these vulnerabilities exist. But even when they are fixed by the vendors, they have to be updated, the computers that have those vulnerabilities have to be updated in order to make sure they don't have those holes anymore. And that is one of the biggest problems, as you probably know yourself from home. Every time you get one of those messages saying you've got an update to apply, on your phone or your iPad or whatever it might be. You're constantly seeing these messages saying you've got to update it, which is tedious and you don't really want to do it. It takes 15 minutes to update your phone. And so you tend to put it off and, by putting it off, then you're leaving yourself exposed to these vulnerabilities that people can exploit.
But it's not just flaws in software and hardware. It can also be flaws in processes and procedures. And this is especially important where you've got a relationship, a strategic relationship, with a customer that, for example, might have a procedure for providing information or one for paying bills that involves logging into the customer's system. If those procedures aren't followed properly, you can also have some exploitation of that flaw as well.
So a good example would be, you take a USB drive and you want to plug it into a computer at the customer's location so you can provide them with some information or print something out. If you haven't scanned the USB for malware, malware could get from the USB drive to the customer's computer. And then once it's on the customer's computer, you might not have even known it got in there, and then it potentially gets all around their network and then causes major problems for them.
Harvey Dunham: Sounds like the coronavirus in a way.
Steve Mustard: Yeah, pretty much. That's a good summary. Yeah.
Harvey Dunham: If you could give an example of the kind of damage this can do, that'd be great. I know it happens in industrial arenas, but maybe two or three examples....a hospital, for example?
Steve Mustard: Right. So most people, I think, have heard of some high-profile ransomware incidents that have been reported in the news, where someone gets what's called ransomware on their computers, and that makes it impossible for them to get access to their customer information for instance, or they can't run their business. And they're very often forced to pay the ransom. There can be tens of millions of dollars in ransoms potentially to get people's data back.
But I want to talk about a specific case where this happened. In this case, no one actually was targeted with this particular ransomware. It's called WannaCry, and it came up in May 2017. It's believed to have come from North Korea, and it's believed to have been part of North Korea's attempt literally just to make some money for themselves. They were only charging $300 per computer to release the ransomware lock on the computer. So it doesn't sound like very much money, but this one actually ultimately infected 230,000+ computers around the world.
One of the biggest impacts was actually the UK's National Health Service (NHS). About one third of computers in the UK's NHS were impacted by this. As a result, thousands of appointments were canceled, ambulances had to be re-routed and there were all kinds of other problems with the NHS's operation just because of this ransomware. And as I said, bear in mind that the NHS wasn't targeted by anyone here. They were just unfortunate enough to have lots of computers which had a version of Microsoft's operating system which had a vulnerability that hadn't been fixed--even though, in this particular case, Microsoft had fixed the vulnerability several months before. But the National Health Service, like many other users, hadn't bothered to update their computers.
This particular ransomware also impacted the Maersk shipping company. They ended up spending something in the region of $300 million to recover from that incident, and they had several days where their operations were impacted by this ransomware.
The other thing that is very common in cybersecurity, which most people are familiar with, is data breaches. So we're familiar with the case of, say, your own personal information—Personally Identifiable Information as it's called, or PII. That can be things like credit card information, social security number and such like. People steal that and they sell it on the dark web for something like $1 or $2 per record. Sounds like not very much, but again, you're talking about potentially millions of records that you can steal. In the Target case—Target, the supermarket that was hacked in 2013--they had 70 million records stolen, not a bad haul for someone. But Personal Health Information, or PHI, can sell for 200 times or 300 times the amount that a Personally Identifiable Information record can be sold for.
The U.S. has regulations on protection of health information, HIPAA, and similar regulations exist around the world. In the U.S., if you have a breach that involves more than 500 records, you have to report that to the Department of Health and Human Services. So there are a lot of records about these breaches; something on the order of 15 million health records have been stolen to date in the U.S. alone. And that's based on the reports that we've got. Now, a lot of cybersecurity incidents don't get as well reported. So that's probably an underestimate in terms of how many records have been stolen, and bear in mind that's people's Personal Health Information that is now being sold on the black market for $300 or $400 a record.
Harvey Dunham: Wow. That's amazing. That's just—it's frightening in a lot of ways. I mean, it's a significant amount of money involved here, a significant amount of risk. And once again, this is industry specific, right? I mean, if you're in the B2B world, I suppose it's even in the B2C world. It's pervasive. Nobody's immune.
Steve Mustard: Nobody is immune, that's right. And I think the worst thing we can have is where customers or vendors or suppliers or consultants think they're invulnerable. They think they're not a target. They think they're not at risk. Maybe they think, "Well, I'm a small player. No, one's going to bother to target me."
But the examples like I gave with WannaCry, you don't have to be an actual target. You just have to be part of the collateral damage in a widespread malware attack where people are just looking to make as much money as possible, as quickly as possible.
Harvey Dunham: When I think about our clients... Typically a strategic account is one of your larger customers. For any given business, if your strategic accounts are those accounts that are strategic to you and, at the highest level, you are also strategic to them, very often you've got more access to those customers and they trust you, you know, trust built up over time.
For your customers, I mean, what are the IT and the C-level people, what are they concerned about? How do they look at these risks? And how high are cybersecurity risks on IT and the CIO and the CEO's agenda? Are they aware of it? Do they care about it? I mean, does this keep them up at night? How would you characterize that?
Steve Mustard: I would say that today, most organizations would be aware and concerned about a cybersecurity incident in their organization. So think that the CEO, the CIO or CSO, depending on what type of organization it is, they will be thinking about this problem all the time and constantly worried about what the next attack is going to be and are they prepared for that. The problem, I think, with most of the organizations is that there's often a gap between the C-level, where it's understood that this is a risk, and farther down in the organization, where people are maybe less well-informed about the risks and may not have had adequate awareness, training and preparation for dealing with those incidents.
So if you think about the examples I gave with the ransomware, the recommendation from the Department of Homeland Security and the FBI is that if you have ransomware on your computer, you should not pay the ransom. It encourages further attempts at ransomware attacks on you and others. In fact, in many cases, there's no guarantee that even if you pay the ransom, you get the data back. So the only option you've got then is to be better prepared for an incident. As I said at the outset here, it is only a matter of time when an organization gets hit. It's not if they get hit, it's when, and it's how well prepared they are as to how serious it is for them.
So a good organization would have a response plan in place that will say, "If we get an incident, this is what we're going to do to deal with it. This is who we're going to call. This is how we're going to handle it." And included in that would be making sure that you have your backups in place and you've tested them and you're ready to deploy them if you need to.
This is again where strategic account management comes in because, as you said, the strategic account is by very definition core to the operation of the customer. It's an integral part; often they're [the SAM and the customer] working side by side in the same buildings, in the same networks and they're collaborating on stuff all the time. And when an organization does have an incident, the strategic account management has to come into play as well. They have to be part of the response. It's not just for the customer to respond, but all the time I see that organizations who aren't well prepared panic; they have no response plan in place. They don't have that established communication channel with the vendors and the suppliers and the strategic account managers, and they have a knee-jerk reaction. And then that often includes "We've got to pay the ransom as quickly as possible and get our data back."
A most recent example is Garmin, who provides sports watches and computerized cycling and running. They got hit, and they were clearly totally unprepared. They ended up paying the ransom because their customers were complaining that they could not download the activities that they'd recorded on their computers. And basically the fundamental purpose of that Garmin website was to allow customers to do that. So because they had no plan in place, they were forced to pay the ransom, and they should not have paid the ransom. They should've had a plan in place to recover back to a certain point in time and resume operations as quickly as possible.
Harvey Dunham: So how should a SAM show up at their customer with regard to this issue? I mean, what would be the ideal way for a SAM to walk in the door with a new solution that's got a digital element, which is probably almost anything you're going to do these days will have some kind of a digital impact on your customer's infrastructure. What do you think a customer would really value from the SAM and how, if they showed us this way?
Steve Mustard: I think a good SAM would turn up at a customer, offering their solution and being able to tell the customer, "We have made this secure by design. We understand security risks. We understand the challenge you will have. We know that your business is critical, and we know that whatever you buy is going to form a critical part of that critical business. Therefore, it cannot be compromised by anyone. We have taken that into account in our design, and we've done all of these things, and we verified it with independent test houses, and we know it's as secure as it can be by design."
I would then say, "We also know that defense in depth is an essential part of protecting an organization against a security incident. So just because our solution is secure by design does not mean that your overall operation is going to be secure. You're going to have to do some things in collaboration with us in order to ensure continued security. And here is our guidance, and here's our support, and here's how we will help you make that defense in depth work in your organization.
I think that it's changed a bit in recent years, but for many years I would talk to-- I would be on a customer site, and I would be looking at something which clearly was insecure. And I would ask the supplier about that insecure solution. And they would say, "It's not our problem to make this secure. It's the customer's job to do that." That's simply not acceptable these days. A good strategic account management organization would say, "We understand security, and we know we have an important part to play in it, and we are going to play that part. And we're going to work very closely to make sure that you have an incident response plan in place that involves us, that allows us to react immediately to get you back up and running as quickly as possible."
Harvey Dunham: Wow. So what I'm hearing from this is that for the SAMs out there, you should really be asking your own company before you approach the customer, " Are we secure by design, and do we have... what was that? The term that you used again, please?
Steve Mustard: Defense in depth. It's a military term, actually, and it originates way back when, in the days of forts and castles. Especially in Europe, you would have your moat and your drawbridge and your spiked fence, and you'd have your archers, and you would have a tower on a hill, and you'd have another gate inside. And you'd have all these different layers of defense in place so that even if someone could breach the moat, they still would have to get through the gate, and they still would have to get through the archers. And then even when they get through the first gate, they've got to get through the next gate, and so on and so on and so on. So all the way you're deterring someone from reaching the ultimate goal.
And with attackers in cybersecurity, it's exactly the same. An attacker, if it proves too difficult to breach one organization, they'll eventually give up and move to someone else who's less well prepared. So defense in depth, it's a bit like that story of being chased by the bear. You don't have to be the fastest runner. You just don't have to be as slow as the slowest runner because the bear will get them instead. Right?
So in cybersecurity, that's very much the case, and the organizations that actively manage cybersecurity, including with their suppliers, their vendors, if they're all part of that supply chain, they all need to be part of that defense in depth. And the Target example from 2013 that I mentioned earlier is the best example of what happens when this isn’t the case.
In 2013, Target was attacked. They weren't attacked directly; their HVAC vendor was attacked. Someone in that organization received a phishing email. They clicked on the link that gave the attackers access to their computer. And because the HVAC vendor was a strategic supplier to Target, the attackers had direct access to Target's financial systems so they could generate their invoices. Once the attackers were on Target’s vendor's computer, they were able to get into Target's computer. And once in Target's computer, they could get to the point-of-sale system and steal 70 million credit card records. So that is the problem. If Target is saying, “We're worried about cybersecurity," that's great. And they do a really good job of making themselves secure. But if their vendors don't make themselves secure, they're the weakest link. And they're what the attacker is going to target.
Harvey Dunham: Just to be clear here, I can see for a new installation this is an issue. But if you have legacy systems in your customer, is that a vulnerability as well?
Steve Mustard: It is. Yeah. In fact, it's hard to say which is worse, but I probably err on the side of the older the equipment and the installation, the more vulnerable it is, the more exposed the organization will be to attack.
Just think about, for instance, the age of the Microsoft operating system that's running on the computers. If you go into many fast food restaurants, for instance, if you ever see their point-of-sale computer being rebooted, you can often see which version of Windows they run on. I was in a fast food restaurant not too long ago in Australia, and one of their point-of-sale computers was down and it was restarting in Microsoft Windows XP, which has not been actively supported by Microsoft for many years. But they were still running it on their point-of-sale system.
So the challenge is it's very costly, expensive, and time consuming to upgrade systems like point of sale because it's mission critical and you can't afford to take it down for too long, so you tend to defer that upgrade as long as possible. But the longer you defer it, the more known vulnerabilities there are in that system, and the more opportunities there are for attackers to exploit those vulnerabilities.
The other problem with old systems and old facilities is that people forget what's actually there. It was installed many years ago. They have very poor documentation. They don't have very good drawings. They don't really know exactly what's out there. The person who used to maintain it retired a few years ago, and the new people only know what they've been told. And then, not so much these days, but not too long ago, I would go to facilities and I'd go around the back of the cabinet, and I'd find an old dial-up modem still plugged into a telephone line. I'd ask someone about that and they would say, "Oh yeah, I forgot about that. But yeah, the supplier, they use that to dial in every now and again to check something.” But it's permanently connected, and it shouldn't be permanently connected because that's a way in for someone else.
So old systems: very problematic, hard to manage and understandably difficult to upgrade to the latest standard. But even new systems in new facilities, it can take years to deploy a new manufacturing facility or new hospital or logistics center. The project I'm working on at the moment is building a new oil and gas platform, and that project has been running for more than ten years now. And for the last four years it's been in the actual construction phase, but a lot of decisions that have been made for that project were made more than five years ago.
Products were purchased which are coming towards the end of their life now, and they have to be upgraded already before we even have finished the project. And that is not unusual in this type of environment where you've got huge networks of equipment to manage a mission- critical operation for someone.
Harvey Dunham: Wow. It's mind boggling to think about, which brings to mind something I hadn't thought about until just now—your customer's legal department. I'm still thinking about a legacy system—or a new system—but I suppose you as the supplier have some legal risk if there's a breach, if you introduce a breach into your customer. Do you have any sense of that? I know legal isn't necessarily your area, but any stories or any experience that you've seen from a legal perspective about the risk that a supplier has?
Steve Mustard: Well, yeah, I'm certainly not a legal expert, but I do see it as a big minefield. It's a big gray area because it's not at the moment maybe as well defined as the world of safety, for instance, product safety, where it's quite clear whose liability it is for some failure. So today, if there's a breach and someone has ransomware, say, and they have to pay the ransom, I don't currently see a lot of suppliers being involved in having to pay any kind of restitution for that. But what I do see is that they have more like a moral obligation. If they want to maintain that customer relationship, then they're going to have to step up and provide the resources to help the customer clean up afterwards. And that's very expensive for them. So even if they're not going to be fined or there's not going to be a lawsuit for them to recover money, they're going to spend a lot of money recovering.
Not too long ago, there was Saudi Aramco, one of the biggest companies in the world. They've been attacked multiple times. Probably it was geopolitical players attacking them, trying to destabilize Saudi Arabia. But more recently, attackers have pivoted to vendors. So towards the end of 2018, a couple of key vendors for Saudi Aramco were attacked directly , similar to what happened with Target, to get into Saudi Aramco and disrupt the operations via a strategic vendor. Now, as a result, those vendors spent millions and millions of dollars having to recover from that situation and to help not only Saudi Aramco but also all the other oil and gas customers that they had accounts with that were using the same infrastructure they were providing to Saudi Aramco.
So it's a huge challenge for any supplier/vendor to operate in this day and age because the risks, as I said before, go through the entire supply chain and, of course, there's no easy way to extricate yourself from that and say, "Well, you know, we've done our bit. And so it's all down to you." It isn't. Everybody's always got some responsibility for maintaining cybersecurity.
Harvey Dunham: Well the message is clear. I get it. Even if they can't sue you, if they know it was you that introduced the vulnerability and you don't help your customer, they're not going to be a customer for very long. That's pretty clear to me.
Steve Mustard: Yeah. That's right.
Harvey Dunham: You've opened up a world to us, Steve, that I'm almost lost for words for what I've learned during our conversation here, and I hope it's as valuable for our members. Maybe one other thing: if somebody is really interested in this topic and wants to learn more, is there a place that's publicly accessible, that they can get more education on this topic and really figure out how to be proactive and care for their customers better by being smarter about this issue and being proactive and introducing it with their customers?
Steve Mustard: Yes. ISA [The International Society of Automation] has a link on their website, which brings together a whole host of cybersecurity resources that are available for members and nonmembers to read. They also have an alliance called the ISAGCA or [ISA] Global Cybersecurity Alliance that brings together end users, vendors and consultants to help organizations understand this problem and understand how they're going to deal with the challenges. They publish a number of white papers and recommendations and guidance that's available in that link. So if I provide that link to your members, I would definitely recommend they go and check that out because that will be a good introduction to some, and for those who already are up to speed, they can learn some more about other things they can be doing.
Harvey Dunham: I suppose in this field [cybersecurity] that it's evolving and changing every day. It seems to be. I mean, as quickly as you plug one hole, the hackers, for lack of a better word, figure out a different way around it.
Steve Mustard: That's right. It's a constantly changing field, but there are some unchangeable things like the things we've talked about, about understanding the risk and understanding defense in depth. But the threat is always changing. The people are changing. And the attacks are changing. Every time we plug a hole, they find a new one. So this is never going to go away. It's always going to be a problem. And once organizations recognize it and begin to deal with it, then they're in a much better place and much less likely to be severely impacted.
Harvey Dunham: Well we talk a lot in the strategic account management world about how to be relevant and indispensable to our customers. I see a very, very clear path for SAMs because it sounds like it's more the exception rather than the rule, the suppliers that are sensitive to the cybersecurity issue and being proactive about it. So I think you SAMs out there can really differentiate yourself by walking in with a secure-by-design approach and really tackling it head on with your customer.
We talk a lot about customers. They have a need for an automation system or a control system or an enterprise-wide software solution, whatever it may be. But the unconsidered need is, “How are you going to ensure my cybersecurity when I put this in place? And if you, as the SAM, proactively address that, they're going to look at you differently and better. You'll stand out in the crowd.
Which is why I felt it was really important to get this threat exposed, and you've just done a marvelous job, Steve, of opening our eyes to this. So thank you very much. I wish you good luck on your project that you're on and thank you so much for the collaboration with ISA and SAMA. We really appreciate it.
Steve Mustard: Well, thank you for your time and thank you for giving me the opportunity to raise the awareness. I think it's a really important message to get out there and you summed it up perfectly about being proactive. That's what this is about, and I hope this helps your members.
Interested in reading more articles like this? Subscribe to ISA Interchange and receive weekly emails with links to our latest interviews, news, thought leadership, tips, and more from the automation industry.