Schneider Electric USA Website

Welcome to our website.

To view product availability in a specific country, select from the country list below. For Investor Relations, please visit our global site.

Choose another country or region

    • Default Alternative Text

      Insights on the connected enterprise

    Justifying Industrial Site Cybersecurity Investments to your CEO

    OJP0012585-410x230

    Strategies for Funding Cybersecurity Initiatives

    Plant managers often struggle to convince their CEOs to fund ongoing cybersecurity investments.  Their requests for funding face low odds of success for two main reasons.  First, cybersecurity requirements are often defined as short-term finite projects to be funded during the current budget cycle as opposed to being positioned as long-term investments necessary for conducting business. Such an approach makes it difficult to come back the second year to request additional funding (“I thought we funded this project last year!”) Cybersecurity is an evolution and protection has to be kept up to date on an ongoing basis or else the initial investment is wasted. Investments in cybersecurity need to become a regular line budget item. Then cybersecurity should embed itself in business process, much in the same way total quality management (TQM) projects did 20 to 30 years ago.

    Second, plant managers fail to link their proposal to business benefit. C-suite executives express frustration that such proposals from plant personnel lose them in detailed technology discussions surrounding firewalls, complex authentication practices, DMZs and perimeters.  Instead, CEOs look for how suggested cybersecurity investments can provide savings, competitive advantage, or faster time to market.

    Address executive fears and review what is at stake

    As a first step, executives need to be presented with a succinct description of the cybersecurity situation. From fiscal year 2011 to fiscal year 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose from 140 incidents to 243 incidents, a 74% jump.  It is projected that such threats will continue to grow in scope and frequency.

    The sources of threats include not only invisible hackers that are patrolling the internet in search of soft targets, but also internal employees and outside suppliers that come into the industrial sites.  The weakest links are the people who administer and use the systems. Their actions, either intentional or unintentional, can increase the security risk to systems.

     The advent of the Internet and devices like thumb drives have
    made it easy to penetrate the control environment. As a result,
    the concept of ‘inherent’ security doesn’t exist anymore
    Dr. Peter Martin, Vice President and Fellow, Schneider Electric

    Cyber-attacks already are costing companies worldwide an estimated $300-400 Billion each year and that number is projected to increase sharply.  Plant managers would greatly help executives by quantifying the business’s financial exposure should a cyber-attack result in unanticipated downtime. Some large industrial companies estimate their cost of downtime at $360 Million a day.  In addition, when a plant shuts down unexpectedly it takes 3 to 4 days to get everything started up again. These are sobering lost revenue numbers.

    Another potential concern among executives is the amount of money it will cost to upgrade existing systems in order to render them cyber secure. Most industrial sites rely on a control system architecture that dates back 30-40 years.  Executives foresee that it will cost them millions of dollars to rip out these productive, yet aging systems.

    However, this costly and abrupt scenario of “rip and replace” is avoidable, if a proper cybersecurity strategy is implemented. The immediate point is that inaction is not an option. Cybersecurity in now a cost of doing business. The question is, what is the optimal approach?

    Older systems may not need advanced protection

    As of 25 years ago, industrial sites did not need cybersecurity. Although computers and connectivity were prevalent, no mature internet existed. Industrial systems were inherently cyber secure because there was no way for outsiders to get into them.

    The advent of the Internet and devices like thumb drives created the need for development of more robust security policies. The added connectivity made it easy for outsiders to penetrate the control environment. Therefore, over time, the inherent security of control systems became more and more exposed.  However, an assessment or audit of the installed base of equipment can determine which systems are still both highly productive and inherently secure.  Such system can be left alone until the day it is determined that those particular systems will be more productive as connected systems. 

    “The ability of hackers to access tools and knowledge to make
    their job easier has increased. It now doesn’t take a lot of
    knowledge to take advantage of a situation and deploy a
    cybersecurity attack”
    - Michael Pyle, Vice President, CSO Product Cybersecurity Center,
    Architecture & Innovation, Schneider Electric


    The double-edged sword of connectivity

    Executives should be made aware that cybersecurity threats grow in proportion to the expansion of connectivity. A lack of digitization and the related connectivity can cut into production efficiency gains. For example, it is projected that the flood of Industrial Internet of Things (IIoT)-enabled smart devices will facilitate information exchanges among control systems resulting in efficiency gains of up to 26 per cent. On the other hand, failure to enforce cybersecurity best practices, that are made necessary because of the efficiency fueled connectivity, will result in increased downtime, and increased threats to human and process safety.

    The happy medium is increased digitization and connectivity (in order to stay competitive and grow revenues) with a sufficient degree of cybersecurity (and this sufficient degree differs within each company and within each industry).

    An initial strategy is to build firewalls to keep outsiders from coming into the corporate network and getting into the control system. This will work in environments where entry points into the system are somewhat limited. However, in an IIoT world, cybersecurity will need to be built into every control system hardware and software component, protecting every node that has computing capability. 

    Gradual approach to strengthening cybersecurity infrastructure

    Responsible control systems manufacturers and now designing cybersecurity into every module they build and deliver so that clients don’t have to concern themselves with building in cybersecurity after they purchase a new product.

    Manufacturers like Schneider Electric, for example, apply a Secure Development Life Cycle (SDL) approach to products such as their new Achilles Level 2 Certified M580 PLCs. Within the context of SDL, secure architecture reviews are performed, threat modeling of the conceptual security design takes place, secure coding rules are followed, specialized tools are utilized to analyze code, and security testing of the product is performed.  These actions help to ‘harden’ products, making them more resilient against cyber-attacks. In this way, as new products replace old, entire systems evolve to become more cyber secure.

    "Cybersecurity standards and, in some cases, active government
    compliance, are big drivers for having companies expand their
    levels of cybersecurity"

    - Gary Williams MSc ITSEC, Senior Director Technology,
    Cybersecurity & Communications, ISO27001 Lead Auditor, Schneider Electric

    Suggested initial investment

    A prudent first step is to present the CEO with a plan for evaluating the cybersecurity state of affairs within the organization. By enlisting a reputable, experienced control system cybersecurity expert, cybersecurity architecture, design, and implementation plans can be formulated based on existing assets. By identifying the various assets and the criticality of those assets, issues such as standards and compliance can be addressed and an architecture can be designed that protects both new and older assets.


    For related information, click on any of the links below:

    [White paper series] Preparing for the IIoT, exploring the impact
    Optimizing profitability in the connected enterprise - How the new generation of IIoT-ready controllers connects you with value hidden in plant assets

    New value finder tool helps you discover $$ value hidden in plant assets
    Try it now