Cyber Defense: Megan Samford of Schneider Electric On The 5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack
Direct exposure is the most common attack vector for ransomware attacks on OT environments. When asset owners have devices that are directly connected to the internet it creates access for ransomware entry and promulgation.
In our uncertain and turbulent world, cyberattacks on private businesses are sadly a common tactic of hostile foreign regimes as well as criminal gangs. Cyberattacks and ransomware have crippled large multinational organizations and even governments. What does every company need to do to protect itself from a cyberattack?
In this series called “5 Things Every American Business Leader Should Do To Shield Themselves From A Cyberattack” we are talking to cybersecurity experts and chief information security officers who can share insights from their experience, with all of us.
As a part of this series, I had the pleasure of interviewing Megan Samford, ISA Global Cybersecurity Alliance Chairperson and Chief Product Security Officer, Energy Management at Schneider Electric.
Hi Megan. Before we get into more technical content, we’d love to hear about how you got started. Is there a particular story or impetus that inspired you to pursue a career in cybersecurity?
I fell into the cybersecurity world a little serendipitously. I started in government doing traditional critical infrastructure protection where I learned incident command system and the foundations of emergency management. Based on my work, I was recruited into the tech sector to apply my experience in writing response plans. My focus within the tech sector, more specifically, has been in industrial OT environments.
Since being in cybersecurity, I have worked to advance the concept in the community that cybersecurity, emergency management and Homeland Security all fall under the domain of disaster science. Aligning cyber professionals on this idea and educating them on emergency management in relation to their OT environments is something that really drives my work.
Who should be most concerned about a cyber-attack? Is it primarily businesses or are private individuals also at risk?
Cybersecurity is certainly an area that we all must manage. That said, its hard to know what types of businesses most at risk are because we don’t have complete data around all of the attacks that have occurred. Most of the data available regarding cyber-attacks comes from incidents involving major companies or state departments that drum up lots of media coverage and consequently deeper research. Smaller businesses and individuals have a false sense of security because they have never been attacked, at least that they know of. Small businesses don’t usually have anyone monitoring their networks full time and don’t really know if they’ve had breaches.
Overall, there is many unknowns when it comes to cyber-attacks, but one thing we do know is that hackers are typically, but not always, one of two things. They’re either very opportunistic and are going to take advantage of the scale of major organizations or they’re nation-state sponsored and are pursuing highly targeted attacks. The unfortunate punchline is that none of us get to decide if we’re the intended victim.
Who should be called first after a company is made aware that they are the victim of a cyber-attack? The local police? The FBI? A cybersecurity expert?
An organization’s first call after a cyber-attack truly depends what sector or industry, they are working in. My first and most general recommendation would be that organizations first contact the Cybersecurity and Infrastructure Security Agency (CISA) after a cyber attack. CISA is a part of the United States Department of Homeland Security, and has infrastructure in place to support a response in any sector. However, if your company has a close relationship with the local FBI field office or a sector specific cybersecurity organization those may be better options. The key really is to have a plan in place before you’re in a situation where you need to call anyone.
What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?
Direct exposure is the most common attack vector for ransomware attacks on OT environments. When asset owners have devices that are directly connected to the internet it creates access for ransomware entry and promulgation.
What would you recommend for the government or tech professionals to do to help limit the frequency and severity of these attacks?
The first step to minimize your risk of an attack is to limit opportunities for direct exposure. In OT environments, many organizations lack a centralized asset inventory and often have outdated communication protocols. This leaves gaps in the security of OT equipment. Asset owners should first get all devices directly off the internet and create a segmented architecture that will protect them through multiple layers of defense.
Unfortunately, when an attack happens, there is no formally recognized incidence response process in place to be triggered as a response. Cyber is the only federally recognized disaster discipline that doesn’t follow a government incident response structure. To address this gap in response protocol, the ISA Global Cybersecurity Alliance (ISA GCA), in partnership with CISA, has taken the FEMA incident command system model and applied it to cyber. The model is called Incident Command System for Industrial Control Systems, or ICS4ICS. It provides a common language for incidents and proactive response planning. ICS4ICS helps organizations coordinate a systematic response, where everyone knows their role and there is a clear chain of command.
The best thing tech professionals in OT environments can do to be prepared for cyberattacks is to adopt ICS4ICS protocol and create a coordinated response plan.
This has been a lot of great information. Where can our readers learn more about your work and find resources about incident command systems?
Cybersecurity response teams from more than fifty participating companies, as well as 1,500 plus volunteers around the world, have adopted ICS4ICS framework. The best thing about it is that it is free. To learn more about ICS4ICS and find out how you can begin to develop an emergency response plan for your OT environment, visit https://isaautomation.isa.org/cybersecurity-alliance/
This was very meaningful, thank you so much. We wish you only continued success on your great work!