Speakers: Paul Forney, Chief Security Architect, Schneider Electric
Megan Samford, Director of Product Security, Rockwell
Interviewer: Willy Leichter, VP of Marketing, Virsec
Willy: As I’ve been saying, give us a few minutes of your time. We’ve got free Starbucks gift cards but, more importantly, you can hear from some true industry experts in the industrial control space around security. Very pleased to have joining us, Megan Samford, who is global director of product security from Rockwell and we have Paul Forney, who is the chief security architect for Schneider Electric. So, both real industry leaders here. And Megan, maybe you can just briefly introduce yourself and tell us what you focus on in terms of security.
Megan: Sure, thank you. This is very exciting. I was very happy to receive the invitation from you all. Obviously, we’re very tied with Schneider Electric through our work together in the ISA Global Cyber Security Alliance. My role within Rockwell is really defining the security strategy for how we secure our products prior to shipment.
So, this includes everything from governance risk and compliance, alignment with our IEC62443 standards work certifications, as well as security operations teams that support the SDLC. So, our teams run on penetration tests. They do open source analysis scanning. They basically remediate issues that could be security related prior to the product shipping. We’re also heavily involved in overall cyber security strategy for the company and partnerships and other areas of interest – kind of from the ambassador role standpoint of our brand reputation, selling into the market, and assuring customers that when they buy one of our products, that they have confidence that they’re buying a product that aligns to international standards for security and is being shipped in a way that most security is responsible for.
Willy: All right. Thanks. Paul, maybe you can just briefly – I know you touch on a lot of things.
Paul: Paul Forney. I’m with Schneider Electric for 25 years. I’ve been 30 years in the business of industrial automation and about 20 now dedicated to cyber security.
Just like Megan, I work for the product security office across all the products of Schneider Electric – we have thousands, as you might know – looking for the right technologies that help us become more secure. We help build all those policies that people have to follow the SDLs. We also participate in a lot of the standards bodies with Rockwell, Honeywell, and all the other vendors in our space, to create the standards by which we build products by trying to make sure that they have the right capabilities. But one of the things I do is I also work in the forensic space and I’ve worked with some of the major attacks that we’ve had recently. You’ve probably would know about some. I probably won’t want to mention the names right now, but they’ve become so scary that in our world, when an attack happens, you don’t lose a Power Point or lose your credit card; many people may lose their life.
So, it’s very serious to us in the whole security space related to safety. It’s very important. And also, one of the things we mentioned today in our panel – I don’t know if you all saw that – was the way we work across the industry between vendors and be able to share different technologies that make sense of our world. One of those we’ve investigated here is with Virsec and we’ve done quite a big POC with their product. That’s one of my areas of research that I work extensively in is memory-based attacks.
And if you know, about 90 percent of what people get attacked with today are file-less attacks. They’re not resident on your box. Your AV’s not gonna see them. So, we’re gonna have an amazing time trying to find those things before they do real damage. And in our world, damage is serious.
And so, we’ve had a great time so far working with Virsec and they’ve done a really good job of being able to identify some of these attacks.
Willy: Thank you, Paul. So, Megan, I’m curious – seems like a lot of security or legacy security in the industrial control space has been built around isolation or the assumption of isolation. But we’ve seen so much digital transformation now and all the advantages of being connected, how are your customers – or how is Rockwell – balancing this in terms of being more connected and still maintaining enough isolation for security?
Megan: Sure. So, I think there’s a few pieces there. So, it’s the work that I briefly described internally, which his ensuring that our products are shipping and that they have followed our SDLC. And in Rockwell, that’s known as the Rockwell Automation Product Life Cycle where we embed both product safety as well as security directly into the way that we’re making products. With that, I can tell you that there are over 150 requirements that every product has to meet from a security perspective before it gets approval to ship.
So, we’re very serious when it comes to confidence that we have in our products from a security perspective as well as the second part of the equation, which is the services and solutions that we help provide customers in their environments that are really companion products that support our individual controller’s products, our 3-3 systems that we’re working with customers to certify, the 3-2 risk assessment and then, again, additional services and solutions that the customer is asking for, really, to help make their security experience a little bit more user intuitive.
A good example of that would be we’re partnered with Clarity, for example, to provide threat detection capability today, right? And so, I tell folks an order of magnitude what’s gonna give you the most bang for your buck is having a solid asset inventory, having a threat detection capability, as well as what I think the conversation here is about – which is about end point security. Those items are gonna give you a lot of bang for your buck. And in terms of solving problems in order of magnitude, that’s the honest recommendation that I give folks today.
Willy: Thank you. And Paul, you touched on these memory-based attacks, these file-less attacks. Can you maybe expand on that a little bit what the concern is with them?
Paul: You mean I’m not loud enough? I’m usually too loud. Okay. Yeah. So, anyway, the way things work in memory, I feel terrible talking about this ’cause we have such experts here in Virsec, you know?
Some of my mentors that I’ve been studying with exist right here in this company so, very difficult to actually come up and be any type of expert on this type of thing. But really, you know, this is the way that attackers are definitely mobilizing in our space. You can have AV, and if there’s a signature, it’s gonna be taken off your disc, right? There’s all sorts of other rules that are going on – protection mechanisms for endpoints – to be able to see things. But what is very difficult to guard against is the actual user paths – that would be the allowed paths – that we have with our applications that we have today. Something that is normal but is being used by an adversary are very difficult to block. Once it’s in there, it’s able to get into your space and then actually run its code, basically stitch together, out of components of your own code – so, these are ROP style attacks where it takes gadgets – it builds gadgets to build malware in real time.
You’ll never detect in on the wire. You’ll never detect it on the disk. And some of even the most largest type of attacks we’ve dealt with today – like Tritan – was never visible. You cannot even see it, even if you looked directly at the machine and tried to examine it. You can’t tell it’s even there.
But the damage it can do? Serious. Very serious damage. So, anything that you can do from a file-based perspective, you can definitely do in memory. That’s where things are actually happening anyway. So, was that good?
Willy: Oh, that was great. Thank you, Paul. Let me take a different tact with you, Megan. So, we’re working a lot in the industrial control space, but it does seem like there’s a bit of a – maybe a language disconnect between people on the OT side and people like us in pure IT security. Do you find that you’re having to span a divide there? Are people extremely smart on both sides and tend to be thinking about different things? Is that something you’ve had to deal with?
Megan: Sure. Absolutely. I think it’s just part of the natural evolution of industry and that 10 years ago, it was the OT engineer that was really controlling that factory floor and they were singularly making decisions that were in the best interest of protecting those assets and they weren’t wrong, right? However, there’s no way anyone could have projected the threat landscape that we’re dealing with today and with that, you have really talented folks on the IT security side, the CISO position that’s coming in, and now, we’re seeing that CISOs often, either they’re directly accountable and/or responsible for the security of that manufacturing environment because it ties back to the protection of the brand of the company. And with that, you’re seeing CISOs who have had kind of a 20-year start in this space, by a very organized community, they are using that CISO lens to gauge maturity and overall health within the factory environments when it comes to security. So, they’re looking for things like what’s my patch level, right?
So, when something like Lukey comes out, within a matter of days, they’re able to patch their enterprise network and reach levels of 97 percent patch fidelity, then, they’re able to report up through their senior leadership to provide assurance that the company’s effectively protected from the threat. On the OT side, we’re just not there yet and so, you may have to delay patching until the plant goes on shut down unless you’re doing an emergency patch. And emergency patching costs a lot of money and it eats up at the bottom line. Therefore, I think the OT engineers are helping to bridge the gap in explaining their priorities and coming to agreement with the CISOs on what is possible. Good endpoint protection technologies buy you some time and help satisfy the voice of the customer from the CISO as well as the OT engineer perspective.
And another piece that I think, quite frankly, we have to work on a little bit is that somewhere over the course of the last decade, the OT engineers have somewhat lost confidence, I think, in their ability to speak to this problem and that the CISOs definitely know what they’re talking about on the cyber side.
And so, we need to do a better job of arming the OT engineers again so that they feel confident coming to the table and having that conversation with the CISOs.